Hash passwords with BCrypt instead of SHA1

BCrypt is regarded as a more secure alternative to hashing using message digest algorithms, such as MD5 and SHA families [0, 1, 2]. Apart from built-in salting it is adaptable to the increasing power of modern processing units, which makes it more secure against brute-force cracking. This commit makes all passwords hashed using BCrypt. The session tokens remain generated using SHA1. Tests were updated, `rake test:units` and `rake test:functionals` didn't report any regressions. [0] http://bcrypt.sourceforge.net/ [1] http://en.wikipedia.org/w/index.php?title=Bcrypt&oldid=439692871 [2] eab1c72/README.md
2026-02-22 15:14:07 +01:00 · 2011-07-23 10:52:38 +02:00 · 2011-07-23 10:52:38 +02:00 · 95f0f71441
commit 95f0f71441
parent 0b88c72570
7 changed files with 24 additions and 17 deletions
--- a/test/fixtures/users.yml
+++ b/test/fixtures/users.yml
@ -2,7 +2,7 @@
 admin_user:
  id: 1
  login: admin
-  crypted_password: <%= Digest::SHA1.hexdigest("#{Tracks::Config.salt}--abracadabra--") %>
+  crypted_password: <%= BCrypt::Password.create("#{Tracks::Config.salt}--abracadabra--") %>
  token: <%= Digest::SHA1.hexdigest("adminSat Feb 25 17:14:00 GMT 20060.236961325863376") %>
  is_admin: true
  first_name: Admin
@ -12,7 +12,7 @@ admin_user:
 other_user:
  id: 2
  login: jane
-  crypted_password: <%= Digest::SHA1.hexdigest("#{Tracks::Config.salt}--sesame--") %>
+  crypted_password: <%= BCrypt::Password.create("#{Tracks::Config.salt}--sesame--") %>
  token: <%= Digest::SHA1.hexdigest("janeSun Feb 19 14:42:45 GMT 20060.408173979260027") %>
  is_admin: false
  first_name: Jane
@ -32,7 +32,7 @@ ldap_user:
 sms_user:
  id: 4
  login: sms_user
-  crypted_password: <%= Digest::SHA1.hexdigest("#{Tracks::Config.salt}--sesame--") %>
+  crypted_password: <%= BCrypt::Password.create("#{Tracks::Config.salt}--sesame--") %>
  token: <%= Digest::SHA1.hexdigest("sms_userSun Feb 19 14:42:45 GMT 20060.408173979260027") %>
  is_admin: false
  first_name: SMS