3

I used crypto:sha/1 to hash passwords in my erlang application.

Should I store the binary obtained directly in mnesia or should i convert them to hex string before?

user601836
  • 3,215
  • 4
  • 38
  • 48

4 Answers4

5

Use https://github.com/smarkets/erlang-bcrypt to do the hashing rather than SHA1 or MD5.

rokob
  • 565
  • 4
  • 5
5

Using crypto:sha/1 for hashing passwords is dangerous. At least have a salt, but preferably, use say scrypt, bcrypt or pbkdf2 for storing passwords like this. They are resilient to a number of attacks. Unfortunately, I know of no Erlang-support for those :/

I GIVE CRAP ANSWERS
  • 18,739
  • 3
  • 42
  • 47
4

One could get an Hmac SHA256 hex Digest or MD5 Digest of a password from a front-end application, create a hash using the erlang method and then store this hash.

For example, if i had a web application, i ask for password from users, right at account creation or at login, i use javaScript to create an MD5 Digest of this password and send that along the wire (HTTPS) instead of the actual password. On reaching Erlang, i create a hash of this MD5 Digest from JavaScript and store that as the users password. So each time the user attempts to login on my page, i would do the similar process and then compare the hash output of his entry with the one that was stored. Read more on SHA256 HMac Digest by looking at the solutions to this question: HMAC SHA256 hex digest of a string in Erlang, how? and this one: Erlang and JavaScript MD5 Digest match

Community
  • 1
  • 1
Muzaaya Joshua
  • 7,736
  • 3
  • 47
  • 86
  • 1
    so: I do sha/md5 using front-end (e.g. javascript) and then use erlang:phash2/1,2 to get an hash for the received value. Right? – user601836 Mar 05 '12 at 10:18
  • yes. The actual passwords are never transmitted across the wire but the Digest. Now we create a Hash of the Digest and store the hash. Right from account creation, this has to be done. So whenever a password field occurs on the front end, JavaScript creates a SHA1 or MD5 Digest of the password and sends that, so Erlang creates a Hash and compares it with the one stored (for login) or saves it as users password (for account creation) – Muzaaya Joshua Mar 06 '12 at 04:56
1

Actually you store tuples (or records, which is the same) in mnesia, but in the fields of that records you can store any term (including binaries). It's not neccessary to convert them to strings.

Odobenus Rosmarus
  • 5,870
  • 2
  • 18
  • 21