Dancer-Plugin-Passphrase
2 results

 view release on metacpan or  search on metacpan

README  view on Meta::CPAN 

    MD5 has been broken for many years. Commodity hardware can find a 
    hash collision in seconds, meaning an attacker can easily generate 
    the correct MD5 hash without using the correct password.

- We use `sha(pass.salt)`, and the salt is from `/dev/random`

    SHA isn't quite as broken as MD5, but it shares the same theoretical 
    weaknesses. Even without hash collisions, it is vulnerable to brute forcing.
    Modern hardware is so powerful it can try around a billion hashes a second. 
    That means every 7 chracter password in the range \[A-Za-z0-9\] can be cracked 
    in one hour on your average desktop computer.

- If the only way to break the hash is to brute-force it, it's secure enough

    It is unlikely that your database will be hacked and your hashes brute forced.
    However, in the event that it does happen, or SHA512 is broken, using this module
    gives you an easy way to change to a different algorithm, while still allowing
    you to validate old passphrases

# KNOWN ISSUES

lib/Dancer/Plugin/Passphrase.pm  view on Meta::CPAN 

MD5 has been broken for many years. Commodity hardware can find a 
hash collision in seconds, meaning an attacker can easily generate 
the correct MD5 hash without using the correct password.

=item We use C<sha(pass.salt)>, and the salt is from C</dev/random>

SHA isn't quite as broken as MD5, but it shares the same theoretical 
weaknesses. Even without hash collisions, it is vulnerable to brute forcing.
Modern hardware is so powerful it can try around a billion hashes a second. 
That means every 7 chracter password in the range [A-Za-z0-9] can be cracked 
in one hour on your average desktop computer.

=item If the only way to break the hash is to brute-force it, it's secure enough

It is unlikely that your database will be hacked and your hashes brute forced.
However, in the event that it does happen, or SHA512 is broken, using this module
gives you an easy way to change to a different algorithm, while still allowing
you to validate old passphrases

=back



( run in 0.459 second using v1.01-cache-2.11-cpan-299005ec8e3 )