|Think about Loose Coupling|
What *are* the best ways to encrypt data?by bradcathey (Prior)
|on Aug 27, 2004 at 11:49 UTC||Need Help??|
bradcathey has asked for the wisdom of the Perl Monks concerning the following question:
All this talk about encryption over the past few days has me second guessing myself. And because I'm still new at the security game, but not to flog a dead horse, I'm curious as to my methods.
I write Perl for web CMS apps and forms processing. I'm using Crypt::CBC to 1) store passwords for database access and 2) admin page log-on. Currently:
1) Everytime Perl connects to MySQL db, the encrypted connect password, stored in the root (outside my public_docs) is decrypted using a key, also stored in a file in the root. This has been addressed, even by myself here and here, and I'm still okay with this scenario, though open to advice. More curious about...
2) A user enters a password in an non-secure (no SSL—which now has me nervous) HTML form. The Perl encrypts the password with a static key (again, stored in the root outside of my public_docs) and inserts it into a MySQL table of users. When they log in, the encrypted password is pulled from the db, decrypted, and compared with the log-in.
3) Future application: I want to encrypt larger amounts of text (several paragraphs of plain text) before storing in the database.
Is #1 still sound?
What are the hazards of #2, and what would be better?
What are some approaches to #3? Found this but would like to know more about Digest::MD5 or others.
Sorry for all the questions, could break it down into smaller ones, but that just drags this all out even further. Thanks!
"Don't ever take a fence down until you know the reason it was put up." G. K. Chesterton