From 6e0a0e1d00e11da9b4eab2163e19314f752b05b5 Mon Sep 17 00:00:00 2001
From: Yorhel <git@yorhel.nl>
Date: Wed, 15 Oct 2014 14:20:56 +0200
Subject: Use scrypt for new password hashes

I increased the N parameter to approximate about 500ms to generate the
hash. This is quite a paranoid setting for a website, but login attempts
are throttled so there's not much of a DoS factor. (Alright, password
changing feature isn't throttled so the DoS factor still exists. But
really, there's some pages with longer page generation times anyway.)

I did lower the size of the salt a bit (Crypt::ScryptKDF uses 256 bits
by default), because 64 bits of randomness should have low enough chance
of collision with only ~100k users (even with a million users,
seriously).
---
 data/config_example.pl | 1 +
 1 file changed, 1 insertion(+)

(limited to 'data/config_example.pl')

diff --git a/data/config_example.pl b/data/config_example.pl
index 68c12145..6e0bbe37 100644
--- a/data/config_example.pl
+++ b/data/config_example.pl
@@ -18,6 +18,7 @@ package VNDB;
   url_static   => 'http://your.static.site.root/',
   global_salt  => '<some long unique string>',
   form_salt    => '<another unique string>',
+  scrypt_salt  => '<yet another unique string>',
 );
 
 
-- 
cgit v1.2.3