search

rbCAS / casino-activerecord_authenticator

Provides mechanism to use ActiveRecord as an authenticator for CASino.
MIT License
19 stars 61 forks source link

Add support for per-user password salt with bcrypt #12

Closed bitaxis closed 10 years ago

bitaxis commented 10 years ago

Like the pepper option, the salt option is also a password suffix implementation. But unlike the pepper option, where all user records share the same suffix, the salt option uses a per-record suffix stored in the database, which I learnt about via AuthLogic.

My salt implementation will even co-exist with the pepper option, allowing both to be used if so desired.

pencil commented 10 years ago

A bcrypt hash already contains a per-user salt. Why would you want to add even more salt? :)

bitaxis commented 10 years ago

Interesting point. While I am not an expert on bcrypt not security in general, the salt mentioned in that article is not per-user, but some random number. Indeed, it seems it chooses a different one every time, even for the same password. For example:

Loading development environment (Rails 3.2.18)
2.1.2 :001 > BCrypt::Password.create("testpassword3.1")
 => "$2a$10$sHxeXLrb.Zwp0WFAf4Z0sO6dASHGV6SQlJsMryfVAhq9nKFlZFoU2" 
2.1.2 :002 > BCrypt::Password.create("testpassword3.1")
 => "$2a$10$OQYq4bMNOQpwUWkBTDlY7.9OnvYEOAf9GnM81MVTZVvgxcYhV/BUy" 
2.1.2 :003 > BCrypt::Password.create("testpassword3.1")
 => "$2a$10$pqgQoosmzbKsVQkrkXLsauDgIbr3sEXGmk3DnP7u3gGpn8nnDxLcq" 
2.1.2 :004 > BCrypt::Password.create("testpassword3.1")
 => "$2a$10$XkIJKqD/bvXPdaifk1yO6.H0t/K65/3GF2f3OdmXWp.EQT..RT8Iq" 
2.1.2 :005 > BCrypt::Password.create("testpassword3.1")
 => "$2a$10$dMFe3JddbZPDjLPgh5Bl0eh0H/iPGS2Ny21pqn8DsNgaCLVxTYa8u"

With AuthLogic's implementation of salt, it is akin to the pre-existing implementation of pepper, but on a per-user level. So, I suppose it can be argued that the pepper and salt implementations are both redundant since bcrypt provides it already? ;)

At the end, my real motivation for forking this project is to aid me in my migration from rubycas-server to CASino, which seems truly excellent, by the way. The user table I am working with is implemented via AuthLogic, where such a salt column is employed.

If you have some insights on how my contributions can be modified to better stay in line with your vision for this gem and still meet my migratory needs, I am open to them. For instance, I could rename salt_from_database to pepper_from_database to distinguish between a shared pepper vs. a per-user one.

pencil commented 10 years ago

We will for now not add additional hashing/salting/peppering options as the current implementation just doesn't scale. An alternative system is planned (#16).