From 44e778aedd91a84582cbbef4ffc6e9912d001d66 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Fri, 25 Nov 2016 08:54:57 +0000 Subject: [PATCH] Increase password stretching to 10000 interations This is in line with current reccomendations from various sources. --- lib/password_hash.rb | 2 +- test/lib/password_hash_test.rb | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/lib/password_hash.rb b/lib/password_hash.rb index 4faac4da8..c65df2c4f 100644 --- a/lib/password_hash.rb +++ b/lib/password_hash.rb @@ -6,7 +6,7 @@ require "digest/md5" module PasswordHash SALT_BYTE_SIZE = 32 HASH_BYTE_SIZE = 32 - PBKDF2_ITERATIONS = 1000 + PBKDF2_ITERATIONS = 10000 DIGEST_ALGORITHM = "sha512".freeze def self.create(password) diff --git a/test/lib/password_hash_test.rb b/test/lib/password_hash_test.rb index c481cc767..6f54a0d7a 100644 --- a/test/lib/password_hash_test.rb +++ b/test/lib/password_hash_test.rb @@ -14,6 +14,20 @@ class PasswordHashTest < ActiveSupport::TestCase assert_equal true, PasswordHash.upgrade?("67a1e09bb1f83f5007dc119c14d663aa", "salt") end + def test_pbkdf2_1000_32_sha512 + assert_equal true, PasswordHash.check("ApT/28+FsTBLa/J8paWfgU84SoRiTfeY8HjKWhgHy08=", "sha512!1000!HR4z+hAvKV2ra1gpbRybtoNzm/CNKe4cf7bPKwdUNrk=", "password") + assert_equal false, PasswordHash.check("ApT/28+FsTBLa/J8paWfgU84SoRiTfeY8HjKWhgHy08=", "sha512!1000!HR4z+hAvKV2ra1gpbRybtoNzm/CNKe4cf7bPKwdUNrk=", "wrong") + assert_equal false, PasswordHash.check("ApT/28+FsTBLa/J8paWfgU84SoRiTfeY8HjKWhgHy08=", "sha512!1000!HR4z+hAvKV2ra1gwrongtoNzm/CNKe4cf7bPKwdUNrk=", "password") + assert_equal true, PasswordHash.upgrade?("ApT/28+FsTBLa/J8paWfgU84SoRiTfeY8HjKWhgHy08=", "sha512!1000!HR4z+hAvKV2ra1gpbRybtoNzm/CNKe4cf7bPKwdUNrk=") + end + + def test_pbkdf2_10000_32_sha512 + assert_equal true, PasswordHash.check("3wYbPiOxk/tU0eeIDjUhdvi8aDP3AbFtwYKKxF1IhGg=", "sha512!10000!OUQLgtM7eD8huvanFT5/WtWaCwdOdrir8QOtFwxhO0A=", "password") + assert_equal false, PasswordHash.check("3wYbPiOxk/tU0eeIDjUhdvi8aDP3AbFtwYKKxF1IhGg=", "sha512!10000!OUQLgtM7eD8huvanFT5/WtWaCwdOdrir8QOtFwxhO0A=", "wrong") + assert_equal false, PasswordHash.check("3wYbPiOxk/tU0eeIDjUhdvi8aDP3AbFtwYKKxF1IhGg=", "sha512!10000!OUQLgtMwronguvanFT5/WtWaCwdOdrir8QOtFwxhO0A=", "password") + assert_equal false, PasswordHash.upgrade?("3wYbPiOxk/tU0eeIDjUhdvi8aDP3AbFtwYKKxF1IhGg=", "sha512!10000!OUQLgtM7eD8huvanFT5/WtWaCwdOdrir8QOtFwxhO0A=") + end + def test_default hash1, salt1 = PasswordHash.create("password") hash2, salt2 = PasswordHash.create("password") -- 2.39.5