Hash passwords with BCrypt instead of SHA1

BCrypt is regarded as a more secure alternative to hashing using message digest algorithms, such as MD5 and SHA families [0, 1, 2]. Apart from built-in salting it is adaptable to the increasing power of modern processing units, which makes it more secure against brute-force cracking. This commit makes all passwords hashed using BCrypt. The session tokens remain generated using SHA1. Tests were updated, `rake test:units` and `rake test:functionals` didn't report any regressions. [0] http://bcrypt.sourceforge.net/ [1] http://en.wikipedia.org/w/index.php?title=Bcrypt&oldid=439692871 [2] eab1c72/README.md
2026-01-06 17:28:50 +01:00 · 2011-07-23 10:52:38 +02:00 · 2011-07-23 10:52:38 +02:00 · 95f0f71441
commit 95f0f71441
parent 0b88c72570
7 changed files with 24 additions and 17 deletions
--- a/test/unit/user_test.rb
+++ b/test/unit/user_test.rb
@ -33,7 +33,7 @@ class UserTest < ActiveSupport::TestCase
    assert_kind_of User, @admin_user
    assert_equal 1, @admin_user.id
    assert_equal "admin", @admin_user.login
-    assert_equal "#{Digest::SHA1.hexdigest("#{Tracks::Config.salt}--abracadabra--")}", @admin_user.crypted_password
+    assert_not_nil @admin_user.crypted_password
    assert_not_nil @admin_user.token
    assert @admin_user.is_admin
  end
@ -43,7 +43,7 @@ class UserTest < ActiveSupport::TestCase
    assert_kind_of User, @other_user
    assert_equal 2, @other_user.id
    assert_equal "jane", @other_user.login
-    assert_equal "#{Digest::SHA1.hexdigest("#{Tracks::Config.salt}--sesame--")}", @other_user.crypted_password
+    assert_not_nil @other_user.crypted_password
    assert_not_nil @other_user.token
    assert @other_user.is_admin == false || @other_user.is_admin == 0
  end