|Don't ask to ask, just ask|
Crypt::CBC and verifying passwordsby geektron (Curate)
|on May 19, 2004 at 17:41 UTC||Need Help??|
geektron has asked for the wisdom of the Perl Monks concerning the following question:
an application that i'm maintaining originally used Crypt:DES to 'encrypt' passwords for storage in a cookie to maintain a logged-in user. the app has decided to break with passwords longer than 8 bytes ( which i found out is a limitation of Crypt::DES -- it only handles 8-byte data ).
today I'm working on replacing the Crypt::DES with Crypt::CBC to allow for arbitrary-length password strings, but I can't get validation/ verification of the passwords from the cookie.
in the set_cookie routine:
and the new $epassword is tossed into the cookie.
and later ( on subsequent hits to the app, essentially) we check the cookie pass against the DB pass like so:
where $dbpw is just fetched from the DB based on the username ....
and the values don't match. the newly encrypted $dbpw and the value from the cookie, that is.
after reading a couple other nodes ( Crypt::CBC question, Safe symmetric encryption - Crypt::CBC + Crypt::Blowfish? ) a block cipher (like DES) should allow for comparision.