{"id":28614198,"url":"https://github.com/perldancer/dancer2-plugin-passphrase","last_synced_at":"2025-06-28T10:33:49.598Z","repository":{"id":23673190,"uuid":"27044448","full_name":"PerlDancer/Dancer2-Plugin-Passphrase","owner":"PerlDancer","description":"Passphrases and Passwords as objects for Dancer2","archived":false,"fork":false,"pushed_at":"2022-05-30T09:11:19.000Z","size":69,"stargazers_count":3,"open_issues_count":0,"forks_count":8,"subscribers_count":16,"default_branch":"master","last_synced_at":"2024-06-19T02:37:36.921Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Perl","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"artistic-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PerlDancer.png","metadata":{"files":{"readme":"README.markdown","changelog":"CHANGES","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-11-23T19:28:13.000Z","updated_at":"2022-05-28T12:34:49.000Z","dependencies_parsed_at":"2022-09-02T03:40:48.541Z","dependency_job_id":null,"html_url":"https://github.com/PerlDancer/Dancer2-Plugin-Passphrase","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/PerlDancer/Dancer2-Plugin-Passphrase","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PerlDancer%2FDancer2-Plugin-Passphrase","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PerlDancer%2FDancer2-Plugin-Passphrase/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PerlDancer%2FDancer2-Plugin-Passphrase/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PerlDancer%2FDancer2-Plugin-Passphrase/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PerlDancer","download_url":"https://codeload.github.com/PerlDancer/Dancer2-Plugin-Passphrase/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PerlDancer%2FDancer2-Plugin-Passphrase/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259374995,"owners_count":22847878,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-12T01:13:23.615Z","updated_at":"2025-06-12T01:13:31.492Z","avatar_url":"https://github.com/PerlDancer.png","language":"Perl","funding_links":[],"categories":[],"sub_categories":[],"readme":"# NAME\n\nDancer2::Plugin::Passphrase - Passphrases and Passwords as objects for Dancer2\n\n# SYNOPSIS\n\nThis plugin manages the hashing of passwords for Dancer2 apps, allowing \ndevelopers to follow cryptography best practices without having to \nbecome a cryptography expert.\n\nIt uses the bcrypt algorithm as the default, while also supporting any\nhashing function provided by [Digest](https://metacpan.org/pod/Digest) \n\n# MORE INFORMATION\n\n## Purpose\n\nThe aim of this module is to help you store new passwords in a secure manner, \nwhilst still being able to verify and upgrade older passwords.\n\nCryptography is a vast and complex field. Many people try to roll their own \nmethods for securing user data, but succeed only in coming up with \na system that has little real security.\n\nThis plugin provides a simple way of managing that complexity, allowing \ndevelopers to follow crypto best practice without having to become an expert.\n\n## Rationale\n\nThe module defaults to hashing passwords using the bcrypt algorithm, returning them\nin RFC 2307 format.\n\nRFC 2307 describes an encoding system for passphrase hashes, as used in the \"userPassword\"\nattribute in LDAP databases. It encodes hashes as ASCII text, and supports several \npassphrase schemes by starting the encoding with an alphanumeric scheme identifier enclosed \nin braces.\n\nRFC 2307 only specifies the `MD5`, and `SHA` schemes - however in real-world usage,\nschemes that are salted are widely supported, and are thus provided by this module.\n\nBcrypt is an adaptive hashing algorithm that is designed to resist brute \nforce attacks by including a cost (aka work factor). This cost increases \nthe computational effort it takes to compute the hash.\n\nSHA and MD5 are designed to be fast, and modern machines compute a billion \nhashes a second. With computers getting faster every day, brute forcing \nSHA hashes is a very real problem that cannot be easily solved.\n\nIncreasing the cost of generating a bcrypt hash is a trivial way to make \nbrute forcing ineffective. With a low cost setting, bcrypt is just as secure \nas a more traditional SHA+salt scheme, and just as fast. Increasing the cost\nas computers become more powerful keeps you one step ahead\n\nFor a more detailed description of why bcrypt is preferred, see this article: \n[http://codahale.com/how-to-safely-store-a-password/](http://codahale.com/how-to-safely-store-a-password/)\n\n## Common Mistakes\n\nCommon mistakes people make when creating their own solution. If any of these \nseem familiar, you should probably be using this module\n\n- Passwords are stored as plain text for a reason\n\n    There is never a valid reason to store a password as plain text.\n    Passwords should be reset and not emailed to customers when they forget.\n    Support people should be able to login as a user without knowing the users password.\n    No-one except the user should know the password - that is the point of authentication.\n\n- No-one will ever guess our super secret algorithm!\n\n    Unless you're a cryptography expert with many years spent studying \n    super-complex maths, your algorithm is almost certainly not as secure \n    as you think. Just because it's hard for you to break doesn't mean\n    it's difficult for a computer.\n\n- Our application-wide salt is \"Sup3r\\_S3cret\\_L0ng\\_Word\" - No-one will ever guess that.\n\n    This is common misunderstanding of what a salt is meant to do. The purpose of a \n    salt is to make sure the same password doesn't always generate the same hash.\n    A fresh salt needs to be created each time you hash a password. It isn't meant \n    to be a secret key.\n\n- We generate our random salt using `rand`.\n\n    `rand` isn't actually random, it's a non-unform pseudo-random number generator, \n    and not suitable for cryptographic applications. Whilst this module also defaults to \n    a PRNG, it is better than the one provided by `rand`. Using a true RNG is a config\n    option away, but is not the default as it it could potentially block output if the\n    system does not have enough entropy to generate a truly random number\n\n- We use `md5(pass.salt)`, and the salt is from `/dev/random`\n\n    MD5 has been broken for many years. Commodity hardware can find a \n    hash collision in seconds, meaning an attacker can easily generate \n    the correct MD5 hash without using the correct password.\n\n- We use `sha(pass.salt)`, and the salt is from `/dev/random`\n\n    SHA isn't quite as broken as MD5, but it shares the same theoretical \n    weaknesses. Even without hash collisions, it is vulnerable to brute forcing.\n    Modern hardware is so powerful it can try around a billion hashes a second. \n    That means every 7 chracter password in the range \\[A-Za-z0-9\\] can be cracked \n    in one hour on your average desktop computer.\n\n- If the only way to break the hash is to brute-force it, it's secure enough\n\n    It is unlikely that your database will be hacked and your hashes brute forced.\n    However, in the event that it does happen, or SHA512 is broken, using this module\n    gives you an easy way to change to a different algorithm, while still allowing\n    you to validate old passphrases\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fperldancer%2Fdancer2-plugin-passphrase","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fperldancer%2Fdancer2-plugin-passphrase","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fperldancer%2Fdancer2-plugin-passphrase/lists"}