Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

storing passwords (OT??)

by mandog (Curate)
on Dec 06, 2002 at 00:33 UTC ( [id://217950]=perlquestion: print w/replies, xml ) Need Help??

mandog has asked for the wisdom of the Perl Monks concerning the following question:

The application in question is written partly in perl, but my apologies if this question isn't particularly perl related.

One task of our free (beer/source) database application is to check kids in and out of a building quickly by swipping bar-coded badges. Member and check in/out data will be cached locally and SELECTed /INSERTed from a remote database server.

Our problems are balancing ease of use and security and deciding what we want to keep secure.

Some factors:

We will connect to the database as a user with very limited powers. The user will be able to SELECT member & ID data from a single view and INSERT in/out/timestamp data into a single table. The consequences of a total break in security are relatively minor

Our check in/out component will be running on a task station dedicated exclusively to checking people in and out of the building. We'll restrict the task station to running our application, shutting down the computer and changing the workstation password.

At least a dozen teenagers will be using the workstation to check a couple hundred other teens in and out of the building. The password to the workstation will probably be distributed relatively widely.

The IP number of the NAT gateway the task station is behind is assigned dynamically and this is the IP# we'll be connecting to the database from.

Our current kludgy plan is to store our application as byte code and to store a string in an external file. The application would use some of this string and the MAC address of the workstation, rot13 and crypt to generate the actual database password. --How we hid the password is probably a detail.

We think this would be better than requiring the users to enter a OS password and then a database password. We can't keep the workstation password from wide distribution, but we can limit people's ability to access the database from outside our application.

It feels vaguely like some sort of public/private key thingamajig might do a better job. One thing that bugs more about our current approach is that publishing our code becomes a little problamatic. (assuming our code were worth publishing) Again, breached security does not launch nuclear missiles so we probably don't want to got nuts here.

Is there a better/simpler way to do this?



email: mandog#

Replies are listed 'Best First'.
Re: storing passwords (OT??)
by waswas-fng (Curate) on Dec 06, 2002 at 04:50 UTC
    Depending on budget, you could use some sort of token card like SecurID to do the OS auth -- this way the students that are authorized to use the system each get assigned a card and only the person holding the card (and knowing the PIN) can log into the system. These systems and the cards have really come down in price over the years and may be well within your budget. If a break in does happen it can be tracked down to the holder of the card (unless it was stolen in which case you should have a rule about reporting the card stolen).

    -Waswas
[reply]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://217950]
Approved by Zaxo
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (4)
As of 2024-04-25 16:39 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found