[Catalyst] Migrate from SHA hashed passwords to Bcrypt crypted passwords

Florian Ragwitz rafl at debian.org
Mon Jul 11 15:41:10 GMT 2011

Pavel Karoukin <hippich at gmail.com> writes:

> Right now I am using SHA hashed passwords in my Catalyst application
> (https://github.com/hippich/Bitcoin-Poker-Room). While SHA is better
> then MD5, I still want to migrate to Bcrypt.
> I have two questions:
> 1) Catalyst::Authentication::Credential::Password seems to not support
> Bcrypt since it relies on Digest and Digest do not have Bcrypt as an
> option.

Most of the time, using the self_check method provided by the password
credential is the way to go.

> Should I use DBIx::Class::EncodedColumn with
> Crypt::Eksblowfish::Bcrypt ?

That's one way, yes.

> 2) How I should update my application to have first check against new
> hashing algorithm and if password returns incorrect, try old one
> (SHA)?

That's certainly possible. An other alternative would be to store the
hashing method used by your passwords right next to them.

In fact, that's exactly what DBIx::Class::PassphraseColumn does, and
your problem is exactly the reason it has been written.

It supports every hashing scheme supported by
Authen::Passphrase. Authen::Passphrase itself supports both Digest with
SHA through A::P::SaltedDigest and bcrypt through A::P::BlowfishCrypt.

> Should I do it through realms, or just check password in my
> authentication controller directly instead?

If you really want to check hashes twice instead of just storing the
hashing method, the most sensible point for that to happen seems to be
the check_password method in your user class.

Do note that, as the author of DBIx::Class::PassphraseColumn, I'm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.scsys.co.uk/pipermail/catalyst/attachments/20110711/af8c97ac/attachment.pgp

More information about the Catalyst mailing list