Changes for version 0.005 - 2022-09-02

  • Deprecate hash_password and use prehash_password. This will be changed in a future release. The idea is that crypt_password will become hash_password. This is because crypt_password sounds like it is a two-way function and we can decrypt it. Which we can't.
  • Prehashing can be disabled by setting hashing to "none". This could become the new default. OWASP now recommends against prehashing because of hash shucking. The idea behind hash shucking is that if you have a compromised site that uses unsalted shaXXX hashing you only need to crack the shaXXX hash to get to the original password. The default will change to 'none' in the future and is planned for Jan 2023.


OWASP recommendations for password storage in perl
Abstract base class to implement OWASP password recommendations
An Argon2 implemenation of Password::OWASP
A BlowfishCrypt implemenation of Password::OWASP
An Scrypt implemenation of Password::OWASP