auth/password: implement a digest class for bcrypt that handles salt correctly

[wchristian]

In short, for salts to work properly, every time a password is set, a new salt needs to be used, which maximizes the runtime cost for an attacker who acquires the database.

This also required passing the current password all the way through to the digest object in order to make password checking possible at all, which makes part of the diff a bit ugly.

However otherwise i tried to keep things as short and simple as possible, and i'm not married to any of the implementation if y'all would prefer things to be done differently.

[Leont]

My first thought was «Why are you using Crypt::Eksblowfish::Bcrypt when you can use the actually up-to-date and maintained Crypt::Bcrypt» (Digest::Bcrypt itself switched years ago).

On second thought, there are much bigger issues. Digest is fundamentally unsuitable for password hashing, not having a coherent concept of how salts work is a major part of that. Bcrypt not operating in streaming fashion is another (making the entire interface outright silly and unnecessarily complicated for this purpose).

I would suggest just dropping support for plain digests entirely: they are not a secure way of storing passwords and have not been for a long time. You're better off just going straight to Crypt::Bcrypt.

If you want more flexibility I'd recommend you Crypt::Passphrase (possibly via Mojolicious::Plugin::Passphrase), it will also automatically create secure salts.

[wchristian]

My first thought was «Why are you using Crypt::Eksblowfish::Bcrypt when you can use the actually up-to-date and maintained Crypt::Bcrypt» (Digest::Bcrypt itself switched years ago).

There are answers to this that are closer to the surface, but the core answer is: Because i walked into an existing project, i tried to minimize the changes that would need to be done to Yancy::Plugin::Auth::Password, and Eksblowfish made implementing that easiest for me yesterday. If you can look at BcryptYancy and wanna recommend some concrete changes, i'll be happy to take 'em. :)

On second thought, there are much bigger issues. Digest is fundamentally unsuitable for password hashing, not having a coherent concept of how salts work is a major part of that. Bcrypt not operating in streaming fashion is another (making the entire interface outright silly and unnecessarily complicated for this purpose).

I would suggest just dropping support for plain digests entirely: they are not a secure way of storing passwords and have not been for a long time. You're better off just going straight to Crypt::Bcrypt.

I agree, however that would, as mentioned, require a complete rewrite of Auth::Password, and just having walked into the door, not something i can suggest.

If you want more flexibility I'd recommend you Crypt::Passphrase (possibly via Mojolicious::Plugin::Passphrase), it will also automatically create secure salts.

On recommendation of mst, I'm actually planning to make Digest::Passphrase, if only because i'd also like to have password hashing that isn't limited to 72 bytes, but also because it would generally be useful to have that wrapped in a way that it can slot into places that expect Digest::. It probably would also make BcryptYancy entirely obsolete, but i'm not there yet.