All this talk about encryption over the past few days has me second guessing myself. And because I'm still new at the security game, but not to flog a dead horse, I'm curious as to my methods.

I write Perl for web CMS apps and forms processing. I'm using Crypt::CBC to 1) store passwords for database access and 2) admin page log-on. Currently:

1) Everytime Perl connects to MySQL db, the encrypted connect password, stored in the root (outside my public_docs) is decrypted using a key, also stored in a file in the root. This has been addressed, even by myself here and here, and I'm still okay with this scenario, though open to advice. More curious about...

2) A user enters a password in an non-secure (no SSL—which now has me nervous) HTML form. The Perl encrypts the password with a static key (again, stored in the root outside of my public_docs) and inserts it into a MySQL table of users. When they log in, the encrypted password is pulled from the db, decrypted, and compared with the log-in.

3) Future application: I want to encrypt larger amounts of text (several paragraphs of plain text) before storing in the database.

Questions:

• Is #1 still sound?

• What are the hazards of #2, and what would be better?

• What are some approaches to #3? Found this but would like to know more about Digest::MD5 or others.

Sorry for all the questions, could break it down into smaller ones, but that just drags this all out even further. Thanks!