Strengthen password hashing algorithm

[rails.git] / lib / password_hash.rb

diff --git a/lib/password_hash.rb b/lib/password_hash.rb
new file mode 100644 (file)
index 0000000..1bd8029
--- /dev/null
+++ b/lib/password_hash.rb
@@ -0,0 +1,39 @@
+require "securerandom"
+require "openssl"
+require "base64"
+require "digest/md5"
+
+module PasswordHash
+  SALT_BYTE_SIZE = 32
+  HASH_BYTE_SIZE = 32
+  PBKDF2_ITERATIONS = 1000
+  DIGEST_ALGORITHM = "sha512"
+
+  def self.create(password)
+    salt = SecureRandom.base64(SALT_BYTE_SIZE)
+    hash = self.hash(password, salt, PBKDF2_ITERATIONS, HASH_BYTE_SIZE, DIGEST_ALGORITHM)
+    return hash, [DIGEST_ALGORITHM, PBKDF2_ITERATIONS, salt].join("!")
+  end
+
+  def self.check(hash, salt, candidate)
+    if salt.nil?
+      candidate = Digest::MD5.hexdigest(candidate)
+    elsif salt =~ /!/
+      algorithm, iterations, salt = salt.split("!")
+      size = Base64.strict_decode64(hash).length
+      candidate = self.hash(candidate, salt, iterations.to_i, size, algorithm)
+    else
+      candidate = Digest::MD5.hexdigest(salt + candidate)
+    end
+
+    return hash == candidate
+  end
+
+private
+
+  def self.hash(password, salt, iterations, size, algorithm)
+    digest = OpenSSL::Digest.new(algorithm)
+    pbkdf2 = OpenSSL::PKCS5::pbkdf2_hmac(password, salt, iterations, size, digest)
+    Base64.strict_encode64(pbkdf2)
+  end
+end