Re: [Haskell] ANNOUNCE: pwstore 1.0 (Secure password storage)

Sun, 06 Feb 2011 19:24:43 -0800 

If you're going to use C anyway, why not bind bcrypt?

mark
        
On 07/02/2011, at 2:13 PM, Peter Scott wrote:

> Hi everyone,
> 
> If you need to store and verify passwords, the usual advice is to use bcrypt. 
> It neatly handles all the security issues, with a simple API. But Haskell 
> doesn't have bcrypt bindings, so people are tempted to roll their own 
> password storage methods, and perhaps get it wrong. I decided to fix that. 
> The pwstore library handles all the details of password storage for you, in a 
> way that should be so easy to use that there's no reason not to use it.
> 
> WHAT IT DOES
> 
> You hash and salt passwords with one function, and verify user input against 
> these password hashes with another function. For more information, see the 
> API docs:
> 
> http://hackage.haskell.org/packages/archive/pwstore-fast/1.0/doc/html/Crypto-PasswordStore.html
> 
> 
> HOW IT WORKS
> 
> The basic algorithm is this:
> 
> * Combine the user's password with a randomly-generated salt.
> 
> * Hash this slowly. By iterating SHA-256 a few thousand times, we make 
> brute-force guessing a lot less practical.
> 
> * Store this has along with the salt.
> 
> This scheme is essentially an implementation of the PBKDF1 key derivation 
> function (as specified in RFC 2898) with some convenience code around it to 
> make it easy to use and really hard to mess up.
> 
> 
> WHERE TO GET IT
> 
> There are two packages on Hackage, which you can get with cabal-install:
> 
> 1. pwstore-fast is the preferred version.
> 
> 2. pwstore-purehaskell has the same API, but only pure Haskell dependencies. 
> It's usable, but about 25 times slower than pwstore-fast.
> 
> http://hackage.haskell.org/package/pwstore-fast
> http://hackage.haskell.org/package/pwstore-purehaskell
> 
> The source code is on GitHub:
> 
> https://github.com/PeterScott/pwstore/
> 
> Any comments, questions, or patches are welcome.
> 
> -Peter
> _______________________________________________
> Haskell mailing list
> Haskell@haskell.org
> http://www.haskell.org/mailman/listinfo/haskell


_______________________________________________
Haskell mailing list
Haskell@haskell.org
http://www.haskell.org/mailman/listinfo/haskell

Reply via email to