domingo, 30 de septiembre de 2018

Pharo Script of the Day: Hash password with PBKDF2 using ApplicationSecurity

Any application accepting passwords from users must use password hashing, which pays off in the event of a website breach by limiting the damage. The basic idea is that you do not store the passwords but a "one-way" derived token, then make it difficult enough (in terms of money and time) to reverse the stored token and get the original password.

We say "difficult" because if you have pre computed hash values (known as rainbown tables), it is still possible to decode the user password. So you need to use an additional security measure which consists of "salting" the password.

In Pharo Smalltalk you can use the ApplicationSecurity package to hash and verify a password using the PBKDF2 package. The following example uses a password verifier object: Given a plain text password (presumably provided by an user), a stored hashed salt and the stored hashed password, verify that password matches. We configure it with the PBKDF2 hasher (you can use other password hashers like ASNaclHasher, or the one provided by Grease library: ASGreaseHasher, or implement your own):

(ASPasswordVerifier new
    hasher: ASPBKDF2Hasher new;
    plainTextPassword: 'testPassword';
    storedSalt: '590b223fc584ae96edf3d5dc7e363034';
    storedFinalPassword: '2828efb46d56ca2fb004026398d412ef') verify.

Before using into production, check how to configure the number of iterations recommended and other sources of advices like this excellent post

0 comentarios:

Publicar un comentario