Proposal for a more secure veb.auth hashing/salting method

[449]

As mentioned here the current solution is insecure.

Quote:

Security considerations

hash_password_with_salt and its related functions use sha256 for hashing with a single iteration. This is not secure for production use, and you should use a more secure hashing algorithm and multiple iterations.

I have a proposal to use crypto.pbkdf2 with multiple iterations. The following code test example should be far more secure. I am sure it can be adapted so that there are no breaking changes. Thoughts?

import crypto.sha512
import crypto.pbkdf2
import rand

// The following are recommended for a strong hashed password
const salt_length = 16
const iterations = 100000 // lower = faster but less secure
const key_length = 64

fn main() {
	password := 'test'
	salt := generate_salt()
	hashed_password := hash_password_with_salt(password, salt, iterations, key_length)
	println('Hashed Password: ${hashed_password}')
}

pub fn generate_salt() []u8 {
	mut salt := []u8{len: salt_length} // Create a byte array of length = salt_length
	rand.read(mut salt) // Fill the salt with random bytes
	return salt
}

pub fn hash_password_with_salt(password string, salt []u8, iterations int, key_length int) string {
	password_bytes := password.bytes()
	key := pbkdf2.key(password_bytes, salt, iterations, key_length, sha512.new()) or {
		panic('Failed to hash password: ${err}')
	}
	// Return the key as a hexadecimal string
	return key.hex().str()
}

[Avey777]

A very useful idea, I can use it

[449]

Thanks. I have been working on it again today. I have now also incorporated a method for constant-time comparison. I will post another updated example soon.

[449]

Ok I'm going to keep this local until I am happy with the result. As this forum isn't very active I will only post updates if there's further interest. But either way, hopefully auth.v is updated by somebody soon because there are some major security issues