On Wed, Jan 27, 2010 at 08:26:39AM -0800, Chris Anderson wrote:
> > My reasoning here is that a SHA implementation is easier to come by
> > universally
> > than a bcrypt one.
>
> More secure without more dependencies," which works for me.
SHA1 != HMAC_SHA1
If you want a format that doesn't tie you down to SHA1 in future, I suggest
you go with OpenLDAP's way of storing passwords with a tag.
"{CRYPT}aaqPiZY5xR5l." # Unix original crypt
"{CRYPT}$1$aaaaaaaa$lWxWtPmiNjS/cwJnGm6fe0" # Unix extensible crypt
"{SHA}....." # plain SHA1
"{SSHA}....." # salted SHA1
etc. (Indeed, the ability to move a secret from an LDAP server to a userdb
record or vice versa would be quite useful)
Shame Erlang doesn't have a native crypt() interface, but you can write a
NIF for it.
