diff options
author | Yorhel <git@yorhel.nl> | 2014-10-15 14:20:56 +0200 |
---|---|---|
committer | Yorhel <git@yorhel.nl> | 2014-10-15 14:20:56 +0200 |
commit | 6e0a0e1d00e11da9b4eab2163e19314f752b05b5 (patch) | |
tree | a65e4b62d81d395c9988f7045b4e83deec8b2485 /data | |
parent | 13e967810a8b336164d22167bb047ad1dbb5a836 (diff) |
Use scrypt for new password hashes
I increased the N parameter to approximate about 500ms to generate the
hash. This is quite a paranoid setting for a website, but login attempts
are throttled so there's not much of a DoS factor. (Alright, password
changing feature isn't throttled so the DoS factor still exists. But
really, there's some pages with longer page generation times anyway.)
I did lower the size of the salt a bit (Crypt::ScryptKDF uses 256 bits
by default), because 64 bits of randomness should have low enough chance
of collision with only ~100k users (even with a million users,
seriously).
Diffstat (limited to 'data')
-rw-r--r-- | data/config_example.pl | 1 | ||||
-rw-r--r-- | data/global.pl | 2 |
2 files changed, 3 insertions, 0 deletions
diff --git a/data/config_example.pl b/data/config_example.pl index 68c12145..6e0bbe37 100644 --- a/data/config_example.pl +++ b/data/config_example.pl @@ -18,6 +18,7 @@ package VNDB; url_static => 'http://your.static.site.root/', global_salt => '<some long unique string>', form_salt => '<another unique string>', + scrypt_salt => '<yet another unique string>', ); diff --git a/data/global.pl b/data/global.pl index 636ab327..477574c8 100644 --- a/data/global.pl +++ b/data/global.pl @@ -25,6 +25,8 @@ our %S = (%S, skin_default => 'angel', global_salt => 'any-private-string-here', form_salt => 'a-different-private-string-here', + scrypt_args => [ 131072, 8, 1 ], # N, r, p + scrypt_salt => 'another-random-string', regen_static => 0, source_url => 'http://git.blicky.net/vndb.git/?h=master', admin_email => 'contact@vndb.org', |