• Stars
    star
    164
  • Rank 230,032 (Top 5 %)
  • Language
    Erlang
  • License
    MIT License
  • Created about 13 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A library to handle password hashing and changing in a safe manner, independent from any kind of storage whatsoever.

Erlpass

A library to handle password hashing and changing in a safe manner, independent from any kind of storage whatsoever. The library is a thin wrapper around the erlang-bcrypt library from smarkets, handling special cases such as unicode passwords, and forcing hashes in binary. Moreover, the library takes care of providing common operations such as matching passwords, changing the work factor of a hash, or changing a password as a whole.

Current Status

Build Status

Build Instructions

Call rebar3 compile.

How do I use this

This library application depends on bcrypt (which in turn depends on crypto and poolboy). You thus need to call application:start(crypto), application:start(poolboy), and application:start(bcrypt) before being able to call the erlpass functions. The module has these three applications in its dependencies and it should be safe to use in releases. The possible calls are:

1> 1> application:ensure_all_started(erlpass).
{ok,[crypto, bcrypt,erlpass]}
ok
2> Hash = erlpass:hash("my voice is my password").
<<"$2a$12$85jwhagKAzosjJeUktveYuh26e6xFySob5oIKkWdc27SNL3A443OG">>
3> erlpass:match("hello, sir", Hash).
false
4> erlpass:match("my voice is my password", Hash).
true
5> erlpass:match(<<"my voice is my password">>, Hash).
true
6> erlpass:match([<<"my voice is my ">>, "password"], Hash).
true
7> erlpass:change("my voice", Hash, "new pass", 12).
{error,bad_password}
8> erlpass:change("my voice is my password", Hash, "new pass", 12).
<<"$2a$12$5ps2emX.5CgNs3o1RS1mzu8gkF0G9X0j/tKneKPqJOid3YdA7HmaO">>
9> erlpass:change("my voice is my password", Hash, "new pass", 12).
<<"$2a$12$4b2p/Hc.PwrTYffQKRkLheLyu2bbNQbVsvN5Hd.00ei67lagutUyq">>

The hash(Pass) function takes an optional workload factor argument that specifies how long it should take to run. The longer the work factor, the harder the brute force attack. The default work factor is 12.

There is also a change(Pass, Hash, Factor) function allowing to re-hash a password using a different work factor. This makes sense if a product stays in production for a long time or breakthrough in computing make the current work factor too short. The password can then be re-hashed based on that work factor to make it stronger.

Why should I use this?

Avoid using MD5 or SHA-x hashing functions. MD5 is collision-prone, some of the SHA functions too. MD5 and SHA hashing functions were made to be really fast and we want to avoid that. The reason is that it makes it easier to brute-force passwords if the table is compromised. Protect your users first. Bcrypt and Scrypt, by comparison, will salt the passwords for you and give each of them a work factor. If you take 100 millisecond to check a password (something that happens once per session, so it's fine to be slow) compared to 10 microseconds, it becomes a real pain for crackers to do their thing. During that time, you can warn your users to change their passwords in other services.

This library uses the erlang-bcrypt port from the Smarkets team to work in a safe manner. The library isn't attached to any kind of storage and only gives a wrapper to common password operations that you can store in whatever database you want or need.

Other Dependencies

You will need to have PropEr to run the tests. It's a fantastic testing library.

You can run the tests with rebar3 eunit.

Authors

More Repositories

1

recon

Collection of functions and scripts to debug Erlang in production.
Erlang
1,349
star
2

erlang-history

Hacks to add shell history to Erlang's shell
Erlang
495
star
3

pobox

External buffer processes to protect against mailbox overflow in Erlang
Erlang
317
star
4

vmstats

tiny Erlang app to generate information on the Erlang VM
Erlang
253
star
5

dispcount

Erlang task dispatcher based on ETS counters.
Erlang
210
star
6

backoff

Simple exponential backoffs in Erlang
Erlang
133
star
7

merklet

Merkle Trees for data replication in Erlang
Erlang
78
star
8

recon_demo

Playground for recon, for practice and demos.
Erlang
64
star
9

sups

PropEr model helper library to validate implementations of supervisor trees
Erlang
63
star
10

zippers

A library for functional zipper data structures in Erlang. Read more on zippers @ http://ferd.ca/yet-another-article-on-zippers.html
Erlang
54
star
11

flatlog

A custom formatter for the Erlang logger application that turns maps into single line text logs
Erlang
52
star
12

ReVault

ReVault is a peer-to-peer self-hosted file synchronization project.
Erlang
50
star
13

cth_readable

Common Test hooks for more readable logs
Erlang
49
star
14

dandelion

A weed is a plant considered undesirable in a particular situation, "a plant in the wrong place". Taxonomically, the term "weed" has no botanical significance, because a plant that is a weed in one context is not a weed when growing in a situation where it is wanted.
Erlang
49
star
15

lrw

Lowest Random Weight hashing for neatly rebalancing hashes
Erlang
45
star
16

simhash

Simhashing for Erlang -- hashing algorithm to find near-duplicates in binary data.
Erlang
43
star
17

bertconf

Make ETS tables out of statc BERT files that are auto-reloaded
Erlang
41
star
18

slider

A WxErlang application to generate slidesets.
Erlang
39
star
19

rebar3_proper

Run PropEr test suites with rebar3
Erlang
37
star
20

batchio

io:format middle-man that buffers and batches output sent to the io server for better throughput
Erlang
36
star
21

dlhttpc

dispcount-based lhttpc fork for massive amounts of requests to limited endpoints
Erlang
36
star
22

erl_crashdump_analyzer

shell script to analyze Erlang crash dumps and find some (generally) useful information.
Shell
30
star
23

hairnet

An Erlang library wrapping AES-GCM (AEAD) crypto in a Fernet-like interface
Erlang
29
star
24

howistart-erlang1-code

Code for my tutorial on howistart.org
Erlang
25
star
25

useragent

Identify browsers and OSes from user agent strings, in Erlang
Erlang
25
star
26

hubble

create, read, and update deep Erlang data structures, accessible through explicit paths.
Erlang
18
star
27

cth_retry

Common Test hooks to retry the last failing cases // Now built in Rebar3
Erlang
14
star
28

cascading-failures

crappy bit of Erlang code whose sole purpose is to crash repeatedly.
Erlang
12
star
29

my-finger

Just waiting for pull requests
11
star
30

rebar3_shellrpc

A plugin to send commands to a running rebar3 shell
Erlang
10
star
31

alias_transform

A parse transform to introduce module aliasing into Erlang code
Erlang
10
star
32

blogerl

My own blog engine. It's been held together with duct tape since 2010
HTML
10
star
33

tend

The Erl Next Door -- a useful platform with which we can quickly load dependencies for tutorials or demonstrations online, and letting people try code as they see fit.
Erlang
9
star
34

erl_subgraph_compile

A rebar plugin to only do partial re-builds of some files without any safety checks.
Erlang
9
star
35

calcalc

Calendrical Calculations; Erlang port of Dershowitz & Reingold's algorithms.
Erlang
7
star
36

bitarray

NIF to replace HiPE bitarray functions
JavaScript
6
star
37

start_wrap

Dumb Wrapper to make full releases possible in Erlang with a 'main' loop
Erlang
4
star
38

rebar3_todo

A rebar3 plugin that scans source code for TODO notes
Erlang
4
star
39

interclock

Experimental project to write an Erlang database app using Interval Tree Clocks. NO GUARANTEES EVER.
Erlang
4
star
40

rebar3-alias

Rebar3 Alias Plugin
Erlang
4
star
41

advent-of-code-2021

Trying the advent of code 2021 in Awk
Awk
3
star
42

erl-loadbalance-benchmarks

Erlang
3
star
43

trx

A rebar plugin to export Erlang test data into Visual Studio test format (.trx files)
Erlang
3
star
44

incl_chk

a demo repo for a forum discussion
Erlang
2
star
45

peeranha

Experimental master-to-master DB using ITCs
Erlang
2
star
46

cowboyku

Cowboy fork to be used with Heroku's proxy library
Erlang
1
star