[Haskell] ANNOUNCE: pwstore 1.0 (Secure password storage)

Mark Wotton mwotton at gmail.com
Mon Feb 7 04:23:43 CET 2011


If you're going to use C anyway, why not bind bcrypt?

mark
	
On 07/02/2011, at 2:13 PM, Peter Scott wrote:

> Hi everyone,
> 
> If you need to store and verify passwords, the usual advice is to use bcrypt. It neatly handles all the security issues, with a simple API. But Haskell doesn't have bcrypt bindings, so people are tempted to roll their own password storage methods, and perhaps get it wrong. I decided to fix that. The pwstore library handles all the details of password storage for you, in a way that should be so easy to use that there's no reason not to use it.
> 
> WHAT IT DOES
> 
> You hash and salt passwords with one function, and verify user input against these password hashes with another function. For more information, see the API docs:
> 
> http://hackage.haskell.org/packages/archive/pwstore-fast/1.0/doc/html/Crypto-PasswordStore.html
> 
> 
> HOW IT WORKS
> 
> The basic algorithm is this:
> 
> * Combine the user's password with a randomly-generated salt.
> 
> * Hash this slowly. By iterating SHA-256 a few thousand times, we make brute-force guessing a lot less practical.
> 
> * Store this has along with the salt.
> 
> This scheme is essentially an implementation of the PBKDF1 key derivation function (as specified in RFC 2898) with some convenience code around it to make it easy to use and really hard to mess up.
> 
> 
> WHERE TO GET IT
> 
> There are two packages on Hackage, which you can get with cabal-install:
> 
> 1. pwstore-fast is the preferred version.
> 
> 2. pwstore-purehaskell has the same API, but only pure Haskell dependencies. It's usable, but about 25 times slower than pwstore-fast.
> 
> http://hackage.haskell.org/package/pwstore-fast
> http://hackage.haskell.org/package/pwstore-purehaskell
> 
> The source code is on GitHub:
> 
> https://github.com/PeterScott/pwstore/
> 
> Any comments, questions, or patches are welcome.
> 
> -Peter
> _______________________________________________
> Haskell mailing list
> Haskell at haskell.org
> http://www.haskell.org/mailman/listinfo/haskell

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/haskell/attachments/20110207/7fadd388/attachment.htm>


More information about the Haskell mailing list