Just to note, the comment about md5 is incorrect. I switched to SHA512 as you can see in the code.
2008/11/25 Thomas Hartman <[EMAIL PROTECTED]>: > What does haskell cafe think of the following module for drop-in > password hasing for webapps? Seem reasonable? > > import Data.Digest.SHA512 (hash) > import qualified Data.ByteString as B' > import qualified Data.ByteString.Char8 as B > > -- store passwords as md5 hash, as a security measure > scramblepass :: String -> IO String > scramblepass p = do > etSalt <- try $ readFile "secure/salt" > case etSalt of > Left e -> fail errmsg > Right s -> -- return . show . md5 . L.pack $ p ++ s > return . B.unpack . B'.pack . hash . B'.unpack . B.pack $ p ++ s > where errmsg = "scramblepass error, you probably need to create a > salt file in secure/salt. This is used for \ > \hashing passwords, so keep it secure. chmod u=r > secure/salt, and make sure it's skipped \ > \in version control commits, etc. A good way to generate a > salt file is (e.g., on ubuntu) \ > \writeFile \"secure/salt\" =<< ( strongsalt $ readFile > \"/dev/urandom\")\ > \You could also just type some random seeming text into > this file, though that's not quite as secure.\ > \Keep a backup copy of this file somewhere safe in case of > disaster." > > > -- | eg, on ubuntu: strongsalt $ readFile "/dev/urandom" > strongsalt :: IO String -> IO String > strongsalt randomSource = return . salt' =<< randomSource > where salt' = show . fst . next . mkStdGen . read . concat . map > (show . ord) . take 10 > > > > 2008/10/30 Bulat Ziganshin <[EMAIL PROTECTED]>: >> Hello Thomas, >> >> Thursday, October 30, 2008, 3:32:46 PM, you wrote: >> >>> No salt, but apart from that, should be fine, right? >> >> 1) without salt, it's not serious - easily breaked by dictionary >> attack >> >> 2) afair, md5 isn't condidered now as cryptographic hash >> >> >> >> -- >> Best regards, >> Bulat mailto:[EMAIL PROTECTED] >> >> > _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe