by geoffc on 7/11/11, 10:37 AM with 19 comments
by LoonyPandora on 7/11/11, 11:46 AM
Your code appears to work, but is subtly broken in a few ways. Firstly since you don't return the hash in the "standard" format ("$2a", "$", two digits, "$", salt as 22 base 64 digits, '.', and 31 base 64 digits for the pass), one can't tell what work factor was used to create the hash - making it hard to verify a password. Secondly the salt isn't sufficiently random, there are modules out there that provide more randomness for cryptographic applications such as this.
It's nice to see people blogging about this kind of thing for perl, but it's important that the code is correct.
[1] http://blogs.perl.org/users/james_aitken/2011/07/safely-stor...
by draegtun on 7/11/11, 11:44 AM
by jrockway on 7/11/11, 1:59 PM
by alfiejohn_ on 7/11/11, 12:27 PM