genio / digest-bcrypt Goto Github PK

This module is currently using Crypt::Eksblowfish::Bcrypt which is essentially unmaintained for the past decade. In particular, the rest of the world upgraded to the 2b variety of bcrypt back in 2014.

I've recently released Crypt::Bcrypt, which does support modern varieties of bcrypt.

The cpanfile lists:

    requires 'WWW::Mechanize';
    requires 'WWW::Shorten' => '3.09';

The only place these appear is in the depends declarations:
https://github.com/genio/digest-bcrypt/search?utf8=%E2%9C%93&q=WWW

maybe they could be removed.

On Ubuntu 14.04 LTS, we have one server using 1.207 and that works fine. Our same code on a different server with version 1.208 of Digest::Bcrypt fails with this error:
"Salt must be exactly 16 octets long"

The code has been used for months without any issue. Downgrading back to 1.207 makes the code work again without throwing any error.

Data::Entropy::Algorithms::rand_bits(128) is used to generate the salt. The code is verified to be correct. There is an issue in version 1.208 of the module.

An issue from the original repository:

"Any chance you could take a hashref to new, allowing us to specify cost (and possibly other options)?
The next trick would be picking a 'default' cost to use in Digest.pm."

The new minimum cost of 5 associated with Crypt::Bcrypt breaks clients that assume they can pass a cost < 5, for example Dancer2::Plugin::Passphrase, whose default is a cost of 4.

I'm not familiar enough with Bcrypt to know for sure, but maybe it's possible to silently (or with a warning) pin an out-of-range cost to the acceptable input range.