Largely based on restful_authentication by Rick Olson. Changes include:
Bcrypt is used for password storage. Specified with RSpec. Authentication mechanisms are seperated into modules contained within the plugin. Generators are only used for migrations. Does not include email verification. This
... [More] plugin does not generate controller code for you. Partly because I'm lazy and partly since example code (taken from restful_authentication) can be found in the resources directory of the plugins spec folder.
For a rationale on why SHA1 with individual salts is sub-par to bcrypt read Thomas Ptacek's article.
ExampleUsing acts_as_authentable is as easy as:
gem install bcrypt-rubyInstalling acts_as_authentable:
./script/plugin install http://acts-as-authentable.googlecode.com/svn/trunk/acts_as_authentableAnnotate the model object you want to be authentable:
class User < ActiveRecord::Base
endCreating a migration for adding fields to the authentable model:
./script/generate authentable user
creates a migration:
db/migrate/XXX_add_authentable_fields_for_users.rbIf you have rspec and rspec_on_rails installed verify the plugin with:
rake spec:plugins [Less]
This is a modified version of the acts_as_authenticated rails plugin using Coda Hale's BCrypt implementation, rather than the weaker MD5 hash used originally.
Designed as an upgrade to legacy apps still running this plugin.
BCrypt.net is a C# port of the jBCrypt library. It was ported by Derek Slager. I created this project and uploaded the code here to give it a more permanent home.
As Derek originally did the port, I will let his words describe the code (click here for Derek's original blog posting).
... [More] hash functions to authenticate passwords is as naive as using unsalted hash functions. Don’t.
BCrypt.net is an implementation of OpenBSD's Blowfish-based password hashing code, described in "A Future-Adaptable Password Scheme" by Niels Provos and David Mazières. It is a direct port of jBCrypt by Damien Miller, and is thus released under the same BSD-style license. The code is fully managed and should work with any little-endian CLI implementation -- it has been tested with Microsoft .NET and Mono.
Why BCrypt?Most popular password storage schemes are based on fast hashing algorithms such as MD5 and SHA-1. BCrypt is a computationally expensive adaptive hashing scheme which utilizes the Blowfish block cipher. It is ideally suited for password storage, as its slow initialization time severely limits the effectiveness of brute force password cracking attempts. How much overhead it adds is configurable (that's the adaptive part), so the computational resources required to test a password candidate can grow along with advancements in hardware capabilities.
UsageUsing BCrypt in your code is very simple:
// Pass a logRounds parameter to GenerateSalt to explicitly specify the
// amount of resources required to check the password. The work factor
// increases exponentially, so each increment is twice as much work. If
// omitted, a default of 10 is used.
string hashed = BCrypt.HashPassword(password, BCrypt.GenerateSalt(12));
// Check the password.
bool matches = BCrypt.CheckPassword(candidate, hashed); [Less]
This egg provides Chicken bindings for the Unix crypt() function. It will attempt to use the system's crypt() for all available types, and supplies fallbacks when the native crypt does not support a given type for common implementations like Niels Provos' bcrypt() and Ulrich Drepper's SHA-2 based crypt().