The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.


Password::OWASP - OWASP recommendations for password storage in perl


version 0.005


    package MyApp::Authentication;

    use Password::OWASP::Scrypt; # or Bcrypt or Argon2

    my $user = get_from_db();

    my $owasp = Password::OWASP::Scrypt->new(

        # optional
        hashing => 'sha512',

        # Optional
        update_method => sub {
            my ($password) = @_;


This module tries to implement OWASP password recommendations for safe storage in Perl. In short OWASP recommends the following:

  • Don't limit password length or characters

  • Hash the password before you crypt them (deprecated)

  • Use either Argon2, PBKDF2, Scrypt or Bcrypt

This module currently supports Argon2, Scrypt and Bcrypt. All implementations hash the password first with SHA-512. SHA-256 and SHA-1 are also supported. This allows for storing password which are longer that 72 characters. OWASP now recommends against this. This module will move away from prehashing. In order to allow for a transition the default will stay, but emit a deprecation warning. You can now set none as a hashing option. This will become the new default.

The check_password method allows for weaker schemes as the module also allows for inplace updates on these passwords. Please note that clear text passwords need to be prepended with {CLEARTEXT} in order for Authen::Passphrase to do its work.



Wesley Schwengle <>


This software is Copyright (c) 2019 by Wesley Schwengle.

This is free software, licensed under:

  The (three-clause) BSD License