NAME

Dancer::Plugin::Bcrypt - Bcrypt interface for Dancer

VERSION

version 0.2.0

DESCRIPTION

This plugin is a simple interface to the bcrypt algorithm allowing web apps created by dancer to easily store passwords in a secure way.

It generates a crypographically strong salt for each password, uses the very strong bcrypts algorithm to hash the password - and does these in a configurable and portable manner.

BACKGROUND

See http://codahale.com/how-to-safely-store-a-password/

To safely store passwords in the modern era, you should use bcrypt. It's that simple

MD5, SHA and their ilk are general purpose hash functions, designed for speed.

An average server can calculate the MD5 hash of every 6 character, alphanumeric password in about 40 seconds. The beefiest boxen can do the same in ONE second

Bcrypt is an adaptive password hashing algorithm. It uses a work factor to determine how SLOWLY it hashes a password. This work factor can be increased to keep up with the ever increasing power of computers.

KEYWORDS

bcrypt

Pass it a plaintext password, and it will return a string suitable for storage, using the settings specified in the app config.

This string contains the bcrypted hash, work factor used, and the salt used to generate the hash, delimited by a $.

my $hash = bcrypt($plaintext);

Pass a plaintext password and a stored bcrypted string, it will return a hash of the plaintext password using the work factor and salt from the stored hash.

You would use this to verify that a password provided by a user matches the hash you have stored in the database.

my $hash = bcrypt($plaintext, $stored_hash);

bcrypt_validate_password

Pass it a plaintext password and the crypted password you have stored, and it will return a boolean to indicate whether the plaintext password entered is correct (it hashes to the same has the stored hash).

if (bcrypt_validate_password($entered_password, $stored_hash)) {
    ...
}

USAGE

package MyWebService;
use Dancer;
use Dancer::Plugin::Bcrypt;

get '/' sub => {

    # Generate a new hashed password - suitable for storing in a DB.
    my $hash = bcrypt( param('password') );

    # [...]

    # Validate password provided by user against stored hash.
    my $stored_hash = ''; # [...] retreive password from the DB.
    
    if (bcrypt_validate_password(param('password'), $stored_hash)) {
        # Entered password matches
    }
    
};

CONFIGURATION

You can set the work factor and the random-ness of the salt in your config.yml

plugins:
  bcrypt:
    work_factor: 8
    random_factor: strong

SEE ALSO

Dancer, Crypt::Eksblowfish::Bcrypt, Crypt::Random::Source, http://codahale.com/how-to-safely-store-a-password/

AUTHOR

James Aitken <jaitken@cpan.org>

COPYRIGHT AND LICENSE

This software is copyright (c) 2011 by James Aitken.

This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.