NAME

Password::OWASP - OWASP recommendations for password storage in perl

VERSION

version 0.005

SYNOPSIS

package MyApp::Authentication;

use Password::OWASP::Scrypt; # or Bcrypt or Argon2

my $user = get_from_db();

my $owasp = Password::OWASP::Scrypt->new(

    # optional
    hashing => 'sha512',

    # Optional
    update_method => sub {
        my ($password) = @_;
        $user->update_password($password);
        return;
    },
);

DESCRIPTION

This module tries to implement OWASP password recommendations for safe storage in Perl. In short OWASP recommends the following:

• Don't limit password length or characters

• Hash the password before you crypt them (deprecated)

• Use either Argon2, PBKDF2, Scrypt or Bcrypt

This module currently supports Argon2, Scrypt and Bcrypt. All implementations hash the password first with SHA-512. SHA-256 and SHA-1 are also supported. This allows for storing password which are longer that 72 characters. OWASP now recommends against this. This module will move away from prehashing. In order to allow for a transition the default will stay, but emit a deprecation warning. You can now set none as a hashing option. This will become the new default.

The check_password method allows for weaker schemes as the module also allows for inplace updates on these passwords. Please note that clear text passwords need to be prepended with {CLEARTEXT} in order for Authen::Passphrase to do its work.

SEE ALSO

• Password::OWASP::Argon2

• Password::OWASP::Scrypt

• Password::OWASP::Bcrypt

• OWASP cheatsheet for password storage

• OWASP cheatsheet for authentication storage

• Authen::Passphrase

• Authen::Passphrase::Argon2

• Authen::Passphrase::Scrypt

• Authen::Passphrase::BlowfishCrypt

AUTHOR

Wesley Schwengle <waterkip@cpan.org>

COPYRIGHT AND LICENSE

This software is Copyright (c) 2019 by Wesley Schwengle.

This is free software, licensed under:

The (three-clause) BSD License