On Wed, Jan 27, 2010 at 08:26:39AM -0800, Chris Anderson wrote: > > My reasoning here is that a SHA implementation is easier to come by > > universally > > than a bcrypt one. > > More secure without more dependencies," which works for me.
SHA1 != HMAC_SHA1 If you want a format that doesn't tie you down to SHA1 in future, I suggest you go with OpenLDAP's way of storing passwords with a tag. "{CRYPT}aaqPiZY5xR5l." # Unix original crypt "{CRYPT}$1$aaaaaaaa$lWxWtPmiNjS/cwJnGm6fe0" # Unix extensible crypt "{SHA}....." # plain SHA1 "{SSHA}....." # salted SHA1 etc. (Indeed, the ability to move a secret from an LDAP server to a userdb record or vice versa would be quite useful) Shame Erlang doesn't have a native crypt() interface, but you can write a NIF for it.