Since a similar question, was regarded as off-topic... I have changed my question (to fit site-rules without doubt) along the lines of few of the top questions on stackoverflow itself(given at the bottom).
OS: CentOS (GCC) Scenario: Online Password Management Pref: OpenBSD implementation
I'm trying to use bcrypt (using which is final). But seem to can't find reliable and proper ways of doing it, that includes generating the hashes, overwriting the memory and storing them.
I have seen the top questions on stackoverflow (and security.stackex) tagged to bcrypt, as of now, I have not seen a combined example of proper way of doing it. What I have gathered:
- 50(safe) and 72(extended) character password is upper-limit for bcrypt
- Binary(60) is the common data-type to store it
- Current Min Rounds is around 8, and default is 10
- gnu libgcrypt has bcrypt. (I want to see a example using it)
- Also, I'm using some other POSIX functions in my script via "#define _POSIX_C_SOURCE 200809"
Honestly, there are multiple ways of going wrong with putting all those blocks together, and I have also seen how people are noticeably eager to recommend salted password hashes even if they go off topic in other questions.
I'm not asking for the best way (which may divide opinion), but one of the best way of doing it code wise.
I have a string 'plainpassword' properly NULL-terminated and sanitized (please don't go into that), containing the password entered by the user.
what next? How to generate a bcrypt hash now? And how to properly compare it with the hash queried from Mysql? using strncmp (or even strcmp) or strcoll?
how do I overwrite the plaintext in memory? do I need anything more?
Should I be using this: https://man.openbsd.org/crypt_checkpass.3
I humbly seek help. Thanks a lot.
Similar Questions on Stackoverflow:
How do I create a SHA1 hash in ruby?
Storing SHA1 hash values in MySQL
HMAC-SHA1: How to do it properly in Java?
