bcrypt-ruby: Secure Password Hashing
The Problem
So you remember how Reddit got a backup copy of their database stolen? Do you also remember how, since they stored users’ passwords as plain text, the hacker also got a big list of people’s email addresses and their passwords?
That’s bad. How can you avoid that?
Using bcrypt-ruby
Check out my new gem: bcrypt-ruby.
To install:
sudo gem install bcrypt-ruby(make sure you have a C compiler and OpenSSL)
To use:
require 'bcrypt'
my_password = BCrypt::Password.create("my password") #=> "$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa"
my_password.version #=> "2a"
my_password.cost #=> 10
my_password == "my password" #=> true
my_password == "not my password" #=> false
my_password = BCrypt::Password.new("$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa")
my_password == "my password" #=> true
my_password == "not my password" #=> falseWhat’s bcrypt?
bcrypt() is the password hashing algorithm used by OpenBSD.
It’s awesome because:
- Developed by The OpenBSD Project specifically for hashing passwords. They don’t screw around with security.
- Salts are automatically generated and managed for you.
- It’s orders of magnitude harder to crack than MD5, SHA2, and other standard hash algorithms.
- It has a cost parameter which allows you to ratchet up the computational expense of checking a password — it can be low for low security situations or high for high security situations.
So don’t get caught with your pants down — be professional.
30 comments »