[rabbitmq-discuss] Password Hashing

Simon MacMullen simon at rabbitmq.com
Tue May 10 11:06:34 BST 2011


On 09/05/11 17:44, Denny, Peet (London)(c) wrote:
> Hi,
> The REST api documentation says that we can create users with a hashed
> password instead of one in clear text.
> An individual user. To PUT a user, you will need a body looking
> something like this:
>
> ... {"password_hash":"2lmoth8l4H0DViLaK9Fxi6l9ds8=", "administrator":true}
>
> This suggests that there is a hashing library somewhere for us to use to acheive this.
> Is that the case?

Hi Danny. My expectation in writing that documentation was that people 
would use a password hash from a user they'd already done a GET on, or 
set it to "" to lock the account. So there's no library apart from the 
server implementation, starting at 
rabbit_auth_backend_internal:hash_password/1:

http://hg.rabbitmq.com/rabbitmq-server/file/df7aa5d114ae/src/rabbit_auth_backend_internal.erl#l204

However, the algorithm is quite simple if you want to implement it 
yourself. Here's a worked example:

Generate a random 32 bit salt:
CA D5 08 9B

Concatenate that with the UTF-8 representation of the password (in this 
case "simon"):
CA D5 08 9B 73 69 6D 6F 6E

Take the MD5 hash:
CB 37 02 72 AC 5D 08 E9 B6 99 4A 17 2B 5F 57 12

Concatenate the salt again:
CA D5 08 9B CB 37 02 72 AC 5D 08 E9 B6 99 4A 17 2B 5F 57 12

And convert to base64 encoding:
ytUIm8s3AnKsXQjptplKFytfVxI=

Cheers, Simon

-- 
Simon MacMullen
Staff Engineer, RabbitMQ
SpringSource, a division of VMware



More information about the rabbitmq-discuss mailing list