dariusc93
commented
9 years ago vibe.d is a web framework. Hashing should be done with a external library.
Open DemiMarie opened 9 years ago
dariusc93
commented
9 years ago vibe.d is a web framework. Hashing should be done with a external library.
DemiMarie
commented
9 years ago In that case, vibe.d should not include a salted hash library. In any case, most web apps need to hash passwords, and this is easy to get wrong, so vibe.d should provide it.
etcimon
commented
9 years ago I use bcrypt along with a constant time check in botan, might be troublesome to take the code out though considering license differences.
etcimon
commented
9 years ago dariusc93
commented
9 years ago @etcimon if botan is included in vibe.d, couldnt you just use bcrypt that way instead of taking the code out and place it into vibe.d?
etcimon
commented
9 years ago @etcimon if botan is included in vibe.d, couldnt you just use bcrypt that way instead of taking the code out and place it into vibe.d?
Yes, but I don't know yet how that's going to go in the short term. It all depends on the http2-botan-cleanup branch for now. I have a few things I want to tackle regarding this once I'm done with a project taking all my time. I'm going to merge some new http/2 bug fixes and make it compile with LDC 0.16 on the next updates. There's also all those pull requests that I'll absolutely need if I want to stop using my separate branch.
tchaloupka
commented
8 years ago DemiMarie
commented
8 years ago I would just call out to libsodium's highly-optimized Argon2 implementation. Libsodium is a well-regarded C library with no dependencies beyond libc. On Apr 7, 2016 7:22 AM, "Tomáš Chaloupka" notifications@github.com wrote:
I've written a simple D implementation of PBKDF2 https://github.com/chalucha/pbkdf2 with no other dependencies than dmd frontend > 2.069.0. It's not bcrypt or scrypt or even Argon2 https://en.wikipedia.org/wiki/Argon2, but is still widely used and might be usable instead of current unsafe MD5 password hashing. It uses Phobos HMAC as a pseudorandom function.
— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub https://github.com/rejectedsoftware/vibe.d/issues/1248#issuecomment-206822924
bcryptandscryptare the only password hashes that are useful against attackers using massive parallelism and hardware acceleration. Therefore, vibe.d should offer a function that uses an existing implementation of eitherbcryptorscryptas its default and only means of hashing passwords. A constant-time comparison function is needed to compare such hashes.