Password Hashes, Again

[Michiel Beijen]

On Mon, Apr 16, 2012 at 3:07 PM, Nick Barnes <Nick.Barnes at pobox.com> wrote:

> There are good reasons, acknowledged by the ITRS, to suppose that a
> number of these long-term exponential trends are going to peter out
> over the next decade.

Just chiming into this thread. I'm Michiel, I work for OTRS, we make
an open source helpdesk system written in Perl.
We've just implemented for our upcoming 3.3 release, which we just
have out in beta, a password hashing mechanism using bcrypt and the
CPAN module Crypt::Eksblowfish::Bcrypt. We generate a salt, hash the
password and store the hash and the salt in the password field. This
way we do not need new columns just to store the salt.

Actually, bcrypt is optional, if you don't install the module it'll
fall back to using SHA to generate the hashes. And of course, if there
is a bcrypt hash in the database, you can only decrypt it using the
bcrypt module.
Plus, the method we chose allows for 'seamless upgrade' - if you have
an existing OTRS system, and you switch bcrypt on, any existing
password hashes will still work, but if you change your password or
create a new user, that'll use bcrypt.

This was pretty trivial to implement and I think it would be helpful
for bugzilla as well, especially for larger installations. If anyone
is interested, maybe I can provide a patch against bugzilla for the
same.
--
Michiel