[Haskell-cafe] Password hashing
tphyahoo at gmail.com
Tue Nov 25 10:38:26 EST 2008
What does haskell cafe think of the following module for drop-in
password hasing for webapps? Seem reasonable?
import Data.Digest.SHA512 (hash)
import qualified Data.ByteString as B'
import qualified Data.ByteString.Char8 as B
-- store passwords as md5 hash, as a security measure
scramblepass :: String -> IO String
scramblepass p = do
etSalt <- try $ readFile "secure/salt"
case etSalt of
Left e -> fail errmsg
Right s -> -- return . show . md5 . L.pack $ p ++ s
return . B.unpack . B'.pack . hash . B'.unpack . B.pack $ p ++ s
where errmsg = "scramblepass error, you probably need to create a
salt file in secure/salt. This is used for \
\hashing passwords, so keep it secure. chmod u=r
secure/salt, and make sure it's skipped \
\in version control commits, etc. A good way to generate a
salt file is (e.g., on ubuntu) \
\writeFile \"secure/salt\" =<< ( strongsalt $ readFile
\You could also just type some random seeming text into
this file, though that's not quite as secure.\
\Keep a backup copy of this file somewhere safe in case of
-- | eg, on ubuntu: strongsalt $ readFile "/dev/urandom"
strongsalt :: IO String -> IO String
strongsalt randomSource = return . salt' =<< randomSource
where salt' = show . fst . next . mkStdGen . read . concat . map
(show . ord) . take 10
2008/10/30 Bulat Ziganshin <bulat.ziganshin at gmail.com>:
> Hello Thomas,
> Thursday, October 30, 2008, 3:32:46 PM, you wrote:
>> No salt, but apart from that, should be fine, right?
> 1) without salt, it's not serious - easily breaked by dictionary
> 2) afair, md5 isn't condidered now as cryptographic hash
> Best regards,
> Bulat mailto:Bulat.Ziganshin at gmail.com
More information about the Haskell-Cafe