Secure password handling in Dancer apps with Bcrypt

James Aitken has released Dancer::Plugin::Bcrypt, a new plugin for Dancer apps to make secure password hashing using Bcrypt easy.

For a background on why you ought to use Bcrypt rather than simpler hashing, see http://codahale.com/how-to-safely-store-a-password/ – basically, using MD5/SHA etc is too inexpensive, meaning that, even with a good salt, cracking the hash isn’t too hard to do these days, especially with the advent of use of the GPU. Bcrypt is intentionally expensive and slow (you can decide just how much).

Dancer::Plugin::Bcrypt makes validating a password hash as easy as:


if (bcrypt_validate_password($entered_password, $stored_hash)) {
    ...
}

Generating a hash to store is also very simple:


my $hash = bcrypt($plaintext);

Generation of random salt is taken care of for you.

*UPDATE* – the above is a nice simple way to quickly get secure password hashing with minimal effort – it is likely not the best way, though. If you’re already using DBIx::Class, then see DBIx::Class::PassphraseColumn for a better way to do this automatically at your database model level.

Thanks to mst for prompting me to mention the above :)