do you have any recommendations for state-of-the-art
password hashing in Ruby?
I have been using the bcrypt gem, but I read that some newer
algorithms are considered more secure, like e.g. scrypt or Argon2.
There exist gems for both of them (for scrypt at least two,
"scrypt" and "scrypt-ruby").
1) I would be interested in recommendations for a well maintained
and widely used gem.
2) Additionally, I would be happy about pointers to solutions that
would work on Windows out of the box, for uncomplicated use
in teaching. (The machines were set up using the ruby-installer;
`gem install` works fine, but I'm not confident that installation
of the devkit or registry modifications would be possible.)
Regarding the second part of my question (hashing on Windows):
Installing pure Ruby gems works fine in our computer lab;
however, I haven't been able to install a single native gem using
rubyinstaller's DevKit. I do not have full admin access to the
machines, and I do not exactly know how the environment is set
up, especially whether there have been any modifications in
the Ruby installation, like path settings etc.
I tried several options, without success:
* argon2, scrypt: native extensions, build fails for us
* bcrypt: should(?) offer pre-built binaries for Windows,
but supposedly not for Ruby 2.3
* rbnacl with libsodium: setup as explained on the project
pages does not work for us
I _really_ wanted to use a production-ready algorithm even
for our toy app, instead of IMO starting off on the wrong food
by using MD5 and always pointing out that "you absolutely
should not do that for a real app"...
Alas, it doesn't seem to be possible...
Any ideas or alternatives?
Regards,
Marcus
···
Am 29.01.2017 um 18:15 schrieb stomar:
2) Additionally, I would be happy about pointers to solutions that
would work on Windows out of the box, for uncomplicated use
in teaching. (The machines were set up using the ruby-installer;
`gem install` works fine, but I'm not confident that installation
of the devkit or registry modifications would be possible.)
I _really_ wanted to use a production-ready algorithm even
for our toy app, instead of IMO starting off on the wrong food
by using MD5 and always pointing out that "you absolutely
should not do that for a real app"...
stupid, but possible solution would be to create pure Ruby fake b-/scrypt library, mimicking the needed part of the original API. The implementation does not have to be real.
Regards Michal
Dne 31.01.2017 v 20:48 sto.mar@web.de napsal(a):
···
Am 29.01.2017 um 18:15 schrieb stomar:
2) Additionally, I would be happy about pointers to solutions that
would work on Windows out of the box, for uncomplicated use
in teaching. (The machines were set up using the ruby-installer;
`gem install` works fine, but I'm not confident that installation
of the devkit or registry modifications would be possible.)
Regarding the second part of my question (hashing on Windows):
Installing pure Ruby gems works fine in our computer lab;
however, I haven't been able to install a single native gem using
rubyinstaller's DevKit. I do not have full admin access to the
machines, and I do not exactly know how the environment is set
up, especially whether there have been any modifications in
the Ruby installation, like path settings etc.
I tried several options, without success:
* argon2, scrypt: native extensions, build fails for us
* bcrypt: should(?) offer pre-built binaries for Windows,
but supposedly not for Ruby 2.3
* rbnacl with libsodium: setup as explained on the project
pages does not work for us
I _really_ wanted to use a production-ready algorithm even
for our toy app, instead of IMO starting off on the wrong food
by using MD5 and always pointing out that "you absolutely
should not do that for a real app"...
out of the box, for uncomplicated use
out of the box, for uncomplicated use