[Haskell-cafe] Password hashing

Thomas Hartman tphyahoo at gmail.com
Tue Nov 25 10:39:27 EST 2008 

Just to note, the comment about md5 is incorrect. I switched to SHA512
as you can see in the code.

2008/11/25 Thomas Hartman <tphyahoo at gmail.com>:
> What does haskell cafe think of the following module for drop-in
> password hasing for webapps? Seem reasonable?
>
> import Data.Digest.SHA512 (hash)
> import qualified Data.ByteString as B'
> import qualified Data.ByteString.Char8 as B
>
> -- store passwords as md5 hash, as a security measure
> scramblepass :: String -> IO String
> scramblepass p = do
>  etSalt <- try $ readFile "secure/salt"
>  case etSalt of
>    Left e -> fail errmsg
>    Right s -> -- return . show . md5 . L.pack $ p ++ s
>               return . B.unpack . B'.pack . hash . B'.unpack . B.pack $ p ++ s
>  where errmsg = "scramblepass error, you probably need to create a
> salt file in secure/salt. This is used for \
>            \hashing passwords, so keep it secure. chmod u=r
> secure/salt, and make sure it's skipped \
>            \in version control commits, etc. A good way to generate a
> salt file is (e.g., on ubuntu) \
>            \writeFile \"secure/salt\" =<< ( strongsalt $ readFile
> \"/dev/urandom\")\
>            \You could also just type some random seeming text into
> this file, though that's not quite as secure.\
>            \Keep a backup copy of this file somewhere safe in case of
> disaster."
>
>
> -- | eg, on ubuntu: strongsalt $ readFile "/dev/urandom"
> strongsalt :: IO String -> IO String
> strongsalt randomSource = return . salt' =<< randomSource
>  where salt' = show . fst . next . mkStdGen . read . concat . map
> (show . ord) . take 10
>
>
>
> 2008/10/30 Bulat Ziganshin <bulat.ziganshin at gmail.com>:
>> Hello Thomas,
>>
>> Thursday, October 30, 2008, 3:32:46 PM, you wrote:
>>
>>> No salt, but apart from that, should be fine, right?
>>
>> 1) without salt, it's not serious - easily breaked by dictionary
>> attack
>>
>> 2) afair, md5 isn't condidered now as cryptographic hash
>>
>>
>>
>> --
>> Best regards,
>>  Bulat                            mailto:Bulat.Ziganshin at gmail.com
>>
>>
>

More information about the Haskell-Cafe mailing list