[Chicago-talk] dancer2 authentication

Daniel Rench drench at gmail.com
Tue Aug 11 20:35:50 PDT 2015

I agree with Chris: this looks like a good plugin if you use the
default bcrypt mode.

I'd suggest letting the module generate the salts for you though, and
I'd go with a single database column since the salt is embedded in the
bcrypt string itself[1].

Any thoughts on the default cost/work factor of 4? It seems low. Just
as a comparison, Devise (a common Rails authentication library)
defaults to 10.

[1] There's a decent explanation of the format in answer #2 here:


On Tue, Aug 11, 2015 at 6:30 PM, Chris Hamilton <cjhamil at gmail.com> wrote:
> I don't use Dancer, but I believe what you're looking for is
> Dancer2::Plugin::Passphrase.
> https://metacpan.org/pod/Dancer2::Plugin::Passphrase
> The important things to do (especially if you opt not to use a plugin) is to
> ensure you are using distinct per-user salts and using a strong hashing
> algorithm (e.g. bcrypt).  You'll store the salt and the bcrypt result in two
> columns in your DB.  To validate an authentication request from a user you
> will take their input, concatenate it with the same salt, bcrypt the result,
> and then compare the output to what you have stored.  If they match, the
> password was correctly entered.
> -Chris
> On Tue, Aug 11, 2015 at 5:21 PM, <richard at rushlogistics.com> wrote:
>> I am using dancer2 and was wondering if someone could point me in the
>> direction of code that encrypts a password provided by a user and so that it
>> can be stored in a MySQL database and code that would would allow me to
>> match a provided password with the stored one when the user wants to log
>> back in. Would in be better to use some sort of dancer plugin or just write
>> my own code that uses Blowfish and Crypt:CBC? I am hoping that there must be
>> some strong existing code out there. Please let me know if you know of any
>> or if you have any ideas.
>> Thanks
>> _______________________________________________
>> Chicago-talk mailing list
>> Chicago-talk at pm.org
>> http://mail.pm.org/mailman/listinfo/chicago-talk
> _______________________________________________
> Chicago-talk mailing list
> Chicago-talk at pm.org
> http://mail.pm.org/mailman/listinfo/chicago-talk

More information about the Chicago-talk mailing list