Skip to content
This repository has been archived by the owner on Jul 28, 2021. It is now read-only.

Add support for per-user password salt with bcrypt #12

Closed
wants to merge 4 commits into from
Closed

Add support for per-user password salt with bcrypt #12

wants to merge 4 commits into from

Conversation

bitaxis
Copy link

@bitaxis bitaxis commented Jun 2, 2014

Like the pepper option, the salt option is also a password suffix implementation. But unlike the pepper option, where all user records share the same suffix, the salt option uses a per-record suffix stored in the database, which I learnt about via AuthLogic.

My salt implementation will even co-exist with the pepper option, allowing both to be used if so desired.

@pencil
Copy link
Member

pencil commented Jun 2, 2014

A bcrypt hash already contains a per-user salt. Why would you want to add even more salt? :)

@bitaxis
Copy link
Author

bitaxis commented Jun 2, 2014

Interesting point. While I am not an expert on bcrypt not security in general, the salt mentioned in that article is not per-user, but some random number. Indeed, it seems it chooses a different one every time, even for the same password. For example:

Loading development environment (Rails 3.2.18)
2.1.2 :001 > BCrypt::Password.create("testpassword3.1")
 => "$2a$10$sHxeXLrb.Zwp0WFAf4Z0sO6dASHGV6SQlJsMryfVAhq9nKFlZFoU2" 
2.1.2 :002 > BCrypt::Password.create("testpassword3.1")
 => "$2a$10$OQYq4bMNOQpwUWkBTDlY7.9OnvYEOAf9GnM81MVTZVvgxcYhV/BUy" 
2.1.2 :003 > BCrypt::Password.create("testpassword3.1")
 => "$2a$10$pqgQoosmzbKsVQkrkXLsauDgIbr3sEXGmk3DnP7u3gGpn8nnDxLcq" 
2.1.2 :004 > BCrypt::Password.create("testpassword3.1")
 => "$2a$10$XkIJKqD/bvXPdaifk1yO6.H0t/K65/3GF2f3OdmXWp.EQT..RT8Iq" 
2.1.2 :005 > BCrypt::Password.create("testpassword3.1")
 => "$2a$10$dMFe3JddbZPDjLPgh5Bl0eh0H/iPGS2Ny21pqn8DsNgaCLVxTYa8u"

With AuthLogic's implementation of salt, it is akin to the pre-existing implementation of pepper, but on a per-user level. So, I suppose it can be argued that the pepper and salt implementations are both redundant since bcrypt provides it already? ;)

At the end, my real motivation for forking this project is to aid me in my migration from rubycas-server to CASino, which seems truly excellent, by the way. The user table I am working with is implemented via AuthLogic, where such a salt column is employed.

If you have some insights on how my contributions can be modified to better stay in line with your vision for this gem and still meet my migratory needs, I am open to them. For instance, I could rename salt_from_database to pepper_from_database to distinguish between a shared pepper vs. a per-user one.

@gnomex gnomex mentioned this pull request Oct 22, 2014
Open
@pencil
Copy link
Member

pencil commented Oct 23, 2014

We will for now not add additional hashing/salting/peppering options as the current implementation just doesn't scale. An alternative system is planned (#16).

@pencil pencil closed this Oct 23, 2014
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bitaxis @pencil