[Haskell-cafe] Password hashing
tphyahoo at gmail.com
Tue Nov 25 10:39:27 EST 2008
Just to note, the comment about md5 is incorrect. I switched to SHA512
as you can see in the code.
2008/11/25 Thomas Hartman <tphyahoo at gmail.com>:
> What does haskell cafe think of the following module for drop-in
> password hasing for webapps? Seem reasonable?
> import Data.Digest.SHA512 (hash)
> import qualified Data.ByteString as B'
> import qualified Data.ByteString.Char8 as B
> -- store passwords as md5 hash, as a security measure
> scramblepass :: String -> IO String
> scramblepass p = do
> etSalt <- try $ readFile "secure/salt"
> case etSalt of
> Left e -> fail errmsg
> Right s -> -- return . show . md5 . L.pack $ p ++ s
> return . B.unpack . B'.pack . hash . B'.unpack . B.pack $ p ++ s
> where errmsg = "scramblepass error, you probably need to create a
> salt file in secure/salt. This is used for \
> \hashing passwords, so keep it secure. chmod u=r
> secure/salt, and make sure it's skipped \
> \in version control commits, etc. A good way to generate a
> salt file is (e.g., on ubuntu) \
> \writeFile \"secure/salt\" =<< ( strongsalt $ readFile
> \You could also just type some random seeming text into
> this file, though that's not quite as secure.\
> \Keep a backup copy of this file somewhere safe in case of
> -- | eg, on ubuntu: strongsalt $ readFile "/dev/urandom"
> strongsalt :: IO String -> IO String
> strongsalt randomSource = return . salt' =<< randomSource
> where salt' = show . fst . next . mkStdGen . read . concat . map
> (show . ord) . take 10
> 2008/10/30 Bulat Ziganshin <bulat.ziganshin at gmail.com>:
>> Hello Thomas,
>> Thursday, October 30, 2008, 3:32:46 PM, you wrote:
>>> No salt, but apart from that, should be fine, right?
>> 1) without salt, it's not serious - easily breaked by dictionary
>> 2) afair, md5 isn't condidered now as cryptographic hash
>> Best regards,
>> Bulat mailto:Bulat.Ziganshin at gmail.com
More information about the Haskell-Cafe