BCrypt hashes

Does anyone has experience with using bcrypt in Lucee?
It looks like it’s not supported out of the box, any pointers are much
appreciated!

Kind regards, Michael

I use it regularly though it’s def not an out of the box feature (that I
know of). You have to add the JAR file to your class path and call on it
from there. I have example code and a CFC for using it over on Github

Cheers.On Thursday, April 2, 2015 at 11:34:54 PM UTC-4, Michael van Leest wrote:

Does anyone has experience with using bcrypt in Lucee?
It looks like it’s not supported out of the box, any pointers are much
appreciated!

Kind regards, Michael

Another option is my cfPassphrase project, which defaults to using
BCrypt (but also offers PBKDF2 and SCrypt).

http://sorcerersisle.com/projects:cfpassphrase

It has been tested on Lucee 4.5.1 and Java 8, but is also compatible
with Railo, OpenBD and CF9+ and compiled on Java 6.

Provides custom built-in functions, or can be used via createObject.

Currently the BIFs need manual install (copying files) - I’ll be doing
the auto-deploy thing once Lucee 5 is in beta.

https://github.com/boughtonp/cfpassphrase/wiki/Installation#lucee--railo

As always, feedback/etc is welcome.

Thanks Jamie.

Looking at your code, you default to 1 hour of seed caching? Does that have
any side effects on security? I’m not familiar with bcrypt, yet, so if
there might be some implications for caching a seed for x time, than I can
live with a longer request for logins.

Kind regards and thanks, MikeOn Friday, April 3, 2015, Jamie Jackson <@Jamie_Jackson> wrote:

Whichever way you end up using it, be sure to reuse the seed for a while;
otherwise, you can eat up entropy and cause big problems during times of
concurrent user-registration/password-generation.

I contributed a patch that fixed this for Mura, and my notes are worth a
read: https://github.com/blueriver/MuraCMS/pull/1245

Thanks,
Jamie

On Fri, Apr 3, 2015 at 2:57 PM, Peter Boughton <@Peter_Boughton <javascript:_e(%7B%7D,‘cvml’,’@Peter_Boughton’);>> wrote:

Another option is my cfPassphrase project, which defaults to using
BCrypt (but also offers PBKDF2 and SCrypt).

http://sorcerersisle.com/projects:cfpassphrase

It has been tested on Lucee 4.5.1 and Java 8, but is also compatible
with Railo, OpenBD and CF9+ and compiled on Java 6.

Provides custom built-in functions, or can be used via createObject.

Currently the BIFs need manual install (copying files) - I’ll be doing
the auto-deploy thing once Lucee 5 is in beta.

https://github.com/boughtonp/cfpassphrase/wiki/Installation#lucee--railo

As always, feedback/etc is welcome.


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee%2Bunsubscribe@googlegroups.com’);>.
To post to this group, send email to lucee@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee@googlegroups.com’);>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/20150403195713.00006b81%40sorcerersisle.com
.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee%2Bunsubscribe@googlegroups.com’);>.
To post to this group, send email to lucee@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee@googlegroups.com’);>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CA%2BonWPfhsw9A-OqN72wUk7KFkTTpY0UFWzuhj79FJcveF%2BYzsQ%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CA%2BonWPfhsw9A-OqN72wUk7KFkTTpY0UFWzuhj79FJcveF%2BYzsQ%40mail.gmail.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.


Sent from Gmail Mobile

All is very clear. Not caching seems the best way and as intended. It’s
better to choose a algorithm that fit each need and performance than trying
to cut corners with one algorithm.

Thanks againOn Saturday, April 4, 2015, Peter Boughton <@Peter_Boughton> wrote:

Now I’m more awake, I don’t think that pull request is right.

Looking at the commit changes, what’s being cached/re-used there is the
salt, which should be unique for every hash.
(This then prevents pre-generation of lookup tables, since attackers
must attack each hash individually.)

It is possible to re-generate the salt without re-seeding - the genSalt
in that code is being called only passing the first argument (rounds),
but genSalt can also receive a second argument - a SecureRandom
instance - so providing the same instance should maintain the seed
whilst still providing a new salt.

Mike:
Not sure that’s a clear explanation, but if in doubt don’t cache at all.
This only affects the generation - i.e. user registration and similar.
Logging in will use the existing hash’s salt so isn’t affected.


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com <javascript:;>.
To post to this group, send email to lucee@googlegroups.com <javascript:;>
.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/20150404123233.00000b10%40sorcerersisle.com
.
For more options, visit https://groups.google.com/d/optout.


Sent from Gmail Mobile