Rt branch, 4.2/bcrypt-passwords, updated. rt-4.1.19-33-ga844c43

I had recommended SHA-256 based on the hexadecimal hash output being
used (basically, 256 bits being 32 bytes outputted as 64 characters of
hex), but I guess using the raw binary output from SHA-512 would work
fine, too. I just don’t always trust things to handle binary data
well. :slight_smile:

~reedOn Tue, 3 Sep 2013 15:43:02 -0400 (EDT) alexmv@bestpractical.com (Alex Vandiver) wrote:

The branch, 4.2/bcrypt-passwords has been updated
via a844c4315b5da45d80c6a0fb090f2d39536a1f6d (commit)
from 07ac7c51167a9427a2857fd4a09671ed8b9cab9c (commit)

Summary of changes:
lib/RT/User.pm | 2 ±
1 file changed, 1 insertion(+), 1 deletion(-)

  • Log -----------------------------------------------------------------
    commit a844c4315b5da45d80c6a0fb090f2d39536a1f6d
    Author: Alex Vandiver alexmv@bestpractical.com
    Date: Tue Sep 3 15:31:57 2013 -0400

    SHA-512 passwords before passing to brypt for key derivation

    The bcrypt key derivation function only usese the first 72 bytes of the
    input; when used directly on a password, this effectively limits
    password length to 72 characters.

    Allow for arbitrarily long passwords by hashing the password using
    SHA-512 (which produces 512 bits, or 64 bytes, of output) before passing
    it to bcrypt.

diff --git a/lib/RT/User.pm b/lib/RT/User.pm
index 3e4c2de…2c25a23 100644
— a/lib/RT/User.pm
+++ b/lib/RT/User.pm
@@ -897,7 +897,7 @@ sub _GeneratePassword_bcrypt {
key_nul => 1,
cost => $rounds,
salt => $salt,

  • }, encode_utf8($password) );
  • }, Digest::SHA::sha512( encode_utf8($password) ) );

    return join(“!”, “”, “bcrypt”, sprintf(“%02d”, $rounds),
    Crypt::Eksblowfish::Bcrypt::en_base64( $salt ).

Rt-commit mailing list
rt-commit Info Page