Hash passwords with BCrypt instead of SHA1

BCrypt is regarded as a more secure alternative to hashing using message digest algorithms, such as MD5 and SHA families [0, 1, 2]. Apart from built-in salting it is adaptable to the increasing power of modern processing units, which makes it more secure against brute-force cracking. This commit makes all passwords hashed using BCrypt. The session tokens remain generated using SHA1. Tests were updated, `rake test:units` and `rake test:functionals` didn't report any regressions. [0] http://bcrypt.sourceforge.net/ [1] http://en.wikipedia.org/w/index.php?title=Bcrypt&oldid=439692871 [2] eab1c72/README.md
2025-12-16 15:20:13 +01:00 · 2011-07-23 10:52:38 +02:00 · 2011-07-23 10:52:38 +02:00 · 95f0f71441
commit 95f0f71441
parent 0b88c72570
7 changed files with 24 additions and 17 deletions
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -24,6 +24,7 @@ GEM
    activeresource (2.3.14)
      activesupport (= 2.3.14)
    activesupport (2.3.14)
+    bcrypt-ruby (2.1.4)
    builder (3.0.0)
    cgi_multipart_eof_fix (2.5.0)
    cucumber (1.0.2)
@ -96,6 +97,7 @@ DEPENDENCIES
  ZenTest (>= 4.0.0)
  aasm (= 2.2.0)
  actionwebservice!
+  bcrypt-ruby (~> 2.1.4)
  cucumber-rails (~> 0.3.0)
  database_cleaner (>= 0.5.0)
  flexmock