Pavel Karoukin <[email protected]> writes: > Right now I am using SHA hashed passwords in my Catalyst application > (https://github.com/hippich/Bitcoin-Poker-Room). While SHA is better > then MD5, I still want to migrate to Bcrypt. > > I have two questions: > > 1) Catalyst::Authentication::Credential::Password seems to not support > Bcrypt since it relies on Digest and Digest do not have Bcrypt as an > option.
Most of the time, using the self_check method provided by the password credential is the way to go. > Should I use DBIx::Class::EncodedColumn with > Crypt::Eksblowfish::Bcrypt ? That's one way, yes. > 2) How I should update my application to have first check against new > hashing algorithm and if password returns incorrect, try old one > (SHA)? That's certainly possible. An other alternative would be to store the hashing method used by your passwords right next to them. In fact, that's exactly what DBIx::Class::PassphraseColumn does, and your problem is exactly the reason it has been written. It supports every hashing scheme supported by Authen::Passphrase. Authen::Passphrase itself supports both Digest with SHA through A::P::SaltedDigest and bcrypt through A::P::BlowfishCrypt. > Should I do it through realms, or just check password in my > authentication controller directly instead? If you really want to check hashes twice instead of just storing the hashing method, the most sensible point for that to happen seems to be the check_password method in your user class. Do note that, as the author of DBIx::Class::PassphraseColumn, I'm biased.
pgpMeA8OmAwlc.pgp
Description: PGP signature
_______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
