If you're going to use C anyway, why not bind bcrypt? mark On 07/02/2011, at 2:13 PM, Peter Scott wrote:
> Hi everyone, > > If you need to store and verify passwords, the usual advice is to use bcrypt. > It neatly handles all the security issues, with a simple API. But Haskell > doesn't have bcrypt bindings, so people are tempted to roll their own > password storage methods, and perhaps get it wrong. I decided to fix that. > The pwstore library handles all the details of password storage for you, in a > way that should be so easy to use that there's no reason not to use it. > > WHAT IT DOES > > You hash and salt passwords with one function, and verify user input against > these password hashes with another function. For more information, see the > API docs: > > http://hackage.haskell.org/packages/archive/pwstore-fast/1.0/doc/html/Crypto-PasswordStore.html > > > HOW IT WORKS > > The basic algorithm is this: > > * Combine the user's password with a randomly-generated salt. > > * Hash this slowly. By iterating SHA-256 a few thousand times, we make > brute-force guessing a lot less practical. > > * Store this has along with the salt. > > This scheme is essentially an implementation of the PBKDF1 key derivation > function (as specified in RFC 2898) with some convenience code around it to > make it easy to use and really hard to mess up. > > > WHERE TO GET IT > > There are two packages on Hackage, which you can get with cabal-install: > > 1. pwstore-fast is the preferred version. > > 2. pwstore-purehaskell has the same API, but only pure Haskell dependencies. > It's usable, but about 25 times slower than pwstore-fast. > > http://hackage.haskell.org/package/pwstore-fast > http://hackage.haskell.org/package/pwstore-purehaskell > > The source code is on GitHub: > > https://github.com/PeterScott/pwstore/ > > Any comments, questions, or patches are welcome. > > -Peter > _______________________________________________ > Haskell mailing list > Haskell@haskell.org > http://www.haskell.org/mailman/listinfo/haskell
_______________________________________________ Haskell mailing list Haskell@haskell.org http://www.haskell.org/mailman/listinfo/haskell