Comeonin v2.4.0 Comeonin.Pbkdf2
Module to handle pbkdf2_sha512 authentication.
To generate a password hash, use the hashpwsalt function:
Comeonin.Pbkdf2.hashpwsalt("hard to guess")To check the password against a password hash, use the checkpw function:
Comeonin.Pbkdf2.checkpw("hard to guess", stored_hash)There is also a dummy_checkpw, which can be used to stop an attacker guessing
a username by timing the responses.
See the documentation for each function for more details.
Most users will not need to use any of the other functions in this module.
Pbkdf2
Pbkdf2 is a password-based key derivation function that uses a password, a variable-length salt and an iteration count and applies a pseudorandom function to these to produce a key.
The original implementation used SHA-1 as the pseudorandom function, but this version uses HMAC-SHA-512.
Summary
Functions
Check the password
Perform a dummy check for a user that does not exist
Generate a salt for use with the hashpass function
Hash the password using pbkdf2_sha512
Hash the password with a salt which is randomly generated
Functions
Check the password.
The check is performed in constant time to avoid timing attacks.
Perform a dummy check for a user that does not exist.
This always returns false. The reason for implementing this check is in order to make user enumeration by timing responses more difficult.
Generate a salt for use with the hashpass function.
The minimum length of the salt is 16 and the maximum length is 1024. The default is 16.
Hash the password using pbkdf2_sha512.
In most cases, you will want to use the hashpwsalt function instead.
Use this function if you want more control over the generation of the
salt or the number of rounds.