[FLOW3-general] Using BCrypt as a default hashing strategy
Julian Wachholz
julian.wachholz at gmail.com
Thu Oct 13 00:00:20 CEST 2011
Hi guys,
I've created a new hashing strategy that uses BCrypt and I'd like the Core
Team to adopt it as a new default alghorythm.
I was told this will be mainly interesting for Christopher Hlubek so I hope
he'll see it.
BCrypt has several advantages over generic hashing alghorythms, which you
may find further discussions about online.
To sum it up, the main reasons are:
- It's slow (we do not want a fast hashing alghorythm that advocates brute
force attacks)
- It keeps up with Moore's Law (http://en.wikipedia.org/wiki/Moore%27s_law)
- It's not the same as hashing a password 10.000 times (which does not
provide any additional security)
To make the switch as easy as can be, I also provided a fallback method
which will use the current standard PBKDF2 hasher for already existing
accounts :)
I've attached the new class and a patch for the yaml configuration files.
Hopefully you'll like the idea and I'm all ears for thoughts on this.
Cheers
Julian
PS: Here's a good article about BCrypt by some fellow IRC user:
http://yorickpeterse.com/articles/use-bcrypt-fool/
More information about the FLOW3-general
mailing list