So you remember how Reddit got a backup copy of their database stolen? Do you also remember how, since they stored users’ passwords as plain text, the hacker also got a big list of people’s email addresses and their passwords?
That’s bad. How can you avoid that?
Check out my new gem: bcrypt-ruby.
sudo gem install bcrypt-ruby
(make sure you have a C compiler and OpenSSL)
require 'bcrypt' my_password = BCrypt::Password.create("my password") #=> "$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa" my_password.version #=> "2a" my_password.cost #=> 10 my_password == "my password" #=> true my_password == "not my password" #=> false my_password = BCrypt::Password.new("$2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa") my_password == "my password" #=> true my_password == "not my password" #=> false
bcrypt() is the password hashing algorithm used by OpenBSD.
It’s awesome because:
- Developed by The OpenBSD Project specifically for hashing passwords. They don’t screw around with security.
- Salts are automatically generated and managed for you.
- It’s orders of magnitude harder to crack than MD5, SHA2, and other standard hash algorithms.
- It has a cost parameter which allows you to ratchet up the computational expense of checking a password — it can be low for low security situations or high for high security situations.
So don’t get caught with your pants down — be professional.