[Haskell] ANNOUNCE: pwstore 1.0 (Secure password storage)
Peter Scott
pjscott at iastate.edu
Mon Feb 7 04:13:35 CET 2011
Hi everyone,
If you need to store and verify passwords, the usual advice is to use
bcrypt. It neatly handles all the security issues, with a simple API. But
Haskell doesn't have bcrypt bindings, so people are tempted to roll their
own password storage methods, and perhaps get it wrong. I decided to fix
that. The pwstore library handles all the details of password storage for
you, in a way that should be so easy to use that there's no reason not to
use it.
WHAT IT DOES
You hash and salt passwords with one function, and verify user input against
these password hashes with another function. For more information, see the
API docs:
http://hackage.haskell.org/packages/archive/pwstore-fast/1.0/doc/html/Crypto-PasswordStore.html
HOW IT WORKS
The basic algorithm is this:
* Combine the user's password with a randomly-generated salt.
* Hash this slowly. By iterating SHA-256 a few thousand times, we make
brute-force guessing a lot less practical.
* Store this has along with the salt.
This scheme is essentially an implementation of the PBKDF1 key derivation
function (as specified in RFC 2898) with some convenience code around it to
make it easy to use and really hard to mess up.
WHERE TO GET IT
There are two packages on Hackage, which you can get with cabal-install:
1. pwstore-fast is the preferred version.
2. pwstore-purehaskell has the same API, but only pure Haskell dependencies.
It's usable, but about 25 times slower than pwstore-fast.
http://hackage.haskell.org/package/pwstore-fast
http://hackage.haskell.org/package/pwstore-purehaskell
The source code is on GitHub:
https://github.com/PeterScott/pwstore/
Any comments, questions, or patches are welcome.
-Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/haskell/attachments/20110206/8df1d203/attachment-0001.htm>
More information about the Haskell
mailing list