Hash passwords with BCrypt instead of SHA1

BCrypt is regarded as a more secure alternative to hashing using message digest algorithms, such as MD5 and SHA families [0, 1, 2]. Apart from built-in salting it is adaptable to the increasing power of modern processing units, which makes it more secure against brute-force cracking. This commit makes all passwords hashed using BCrypt. The session tokens remain generated using SHA1. Tests were updated, `rake test:units` and `rake test:functionals` didn't report any regressions. [0] http://bcrypt.sourceforge.net/ [1] http://en.wikipedia.org/w/index.php?title=Bcrypt&oldid=439692871 [2] eab1c72/README.md
2026-02-03 06:21:49 +01:00 · 2011-07-23 10:52:38 +02:00 · 2011-07-23 10:52:38 +02:00 · 95f0f71441
commit 95f0f71441
parent 0b88c72570
7 changed files with 24 additions and 17 deletions
--- a/test/fixtures/users.yml
+++ b/test/fixtures/users.yml
@ -2,7 +2,7 @@
 admin_user:
  id: 1
  login: admin
-  crypted_password: <%= Digest::SHA1.hexdigest("#{Tracks::Config.salt}--abracadabra--") %>
+  crypted_password: <%= BCrypt::Password.create("#{Tracks::Config.salt}--abracadabra--") %>
  token: <%= Digest::SHA1.hexdigest("adminSat Feb 25 17:14:00 GMT 20060.236961325863376") %>
  is_admin: true
  first_name: Admin
@ -12,7 +12,7 @@ admin_user:
 other_user:
  id: 2
  login: jane
-  crypted_password: <%= Digest::SHA1.hexdigest("#{Tracks::Config.salt}--sesame--") %>
+  crypted_password: <%= BCrypt::Password.create("#{Tracks::Config.salt}--sesame--") %>
  token: <%= Digest::SHA1.hexdigest("janeSun Feb 19 14:42:45 GMT 20060.408173979260027") %>
  is_admin: false
  first_name: Jane
@ -32,7 +32,7 @@ ldap_user:
 sms_user:
  id: 4
  login: sms_user
-  crypted_password: <%= Digest::SHA1.hexdigest("#{Tracks::Config.salt}--sesame--") %>
+  crypted_password: <%= BCrypt::Password.create("#{Tracks::Config.salt}--sesame--") %>
  token: <%= Digest::SHA1.hexdigest("sms_userSun Feb 19 14:42:45 GMT 20060.408173979260027") %>
  is_admin: false
  first_name: SMS
--- a/test/functional/users_controller_test.rb
+++ b/test/functional/users_controller_test.rb
@ -68,7 +68,7 @@ class UsersControllerTest < ActionController::TestCase
    post :update_password, :updateuser => {:password => 'newpassword', :password_confirmation => 'newpassword'}
    assert_redirected_to preferences_path
    @updated_user = User.find(users(:admin_user).id)
-    assert_equal @updated_user.crypted_password, Digest::SHA1.hexdigest("#{Tracks::Config.salt}--newpassword--")
+    assert_not_nil User.authenticate(@updated_user.login, 'newpassword')
    assert_equal "Password updated.", flash[:notice]
  end
  
--- a/test/unit/user_test.rb
+++ b/test/unit/user_test.rb
@ -33,7 +33,7 @@ class UserTest < ActiveSupport::TestCase
    assert_kind_of User, @admin_user
    assert_equal 1, @admin_user.id
    assert_equal "admin", @admin_user.login
-    assert_equal "#{Digest::SHA1.hexdigest("#{Tracks::Config.salt}--abracadabra--")}", @admin_user.crypted_password
+    assert_not_nil @admin_user.crypted_password
    assert_not_nil @admin_user.token
    assert @admin_user.is_admin
  end
@ -43,7 +43,7 @@ class UserTest < ActiveSupport::TestCase
    assert_kind_of User, @other_user
    assert_equal 2, @other_user.id
    assert_equal "jane", @other_user.login
-    assert_equal "#{Digest::SHA1.hexdigest("#{Tracks::Config.salt}--sesame--")}", @other_user.crypted_password
+    assert_not_nil @other_user.crypted_password
    assert_not_nil @other_user.token
    assert @other_user.is_admin == false || @other_user.is_admin == 0
  end