A better method would be to hash the user's password into the DB

This is the asymetric solution I've been reading about, right? Would this be a good place for Digest::MP5? Or can you suggest another? Thanks.

For passwords, Digest::MD5 is fine, although for hashing longer texts you might use Digest::SHA1, as it uses a 160-bit key (vs. MD5's 128-bit).

-b

I have a module to do this for a couple of websites:

###########################
# use mapps;
#
# CREATE TABLE users (
#     auid int(10) unsigned NOT NULL auto_increment,
#     auname varchar(30) default NULL,
#     PRIMARY KEY  (auid)
# ) TYPE=MyISAM;
# 
# CREATE TABLE secrets (
#     auid int(10) unsigned NOT NULL auto_increment,
#     passwd char(40) NOT NULL default '',
#     salt int(11) NOT NULL default '0',
#     PRIMARY KEY  (auid)
# ) TYPE=MyISAM DEFAULT;
##########################

package Mapps::Auth;
use Exporter;
use Digest::SHA1;
use DBI;
use warnings;
use strict;
use vars qw($VERSION @ISA @EXPORT);

our $VERSION     = 1.00; 
our @ISA         = qw(Exporter);
our @EXPORT      = qw(&new &auth);

sub new {
    my $class = shift;
    my $self  = {};
    return bless $self, $class; 
}

sub auth {

    my ($self, $dbh1); 
    my $uname = shift;  
    my $passwd = shift;  
    my ($dbsecret, $salt, $uid);

    $dbh1 = DBI->connect('dbi:mysql:itiv', 'lwriter', '**I can't tell 
+you!') or die "Couldn't connect: $dbh1->errstr";
    # get secret from db
    my $statement="SELECT
    admin_users.auid,
    auname,
    passwd,
    salt
    FROM
    admin_users,
    secrets
    WHERE
    admin_users.auid=secrets.auid
    AND
    auname='$uname';";

    my $sth = $dbh1->prepare($statement) or die "Couldn't prepare stat
+ement: ".$dbh1->errstr;
    $sth->execute or die "Couldn't execute statement: ".$dbh1->errstr;

    while (my $ref = $sth->fetchrow_hashref){
        $dbsecret = $ref->{'passwd'};
        $salt     = $ref->{'salt'};
        $uid      = $ref->{'auid'};
    }
    
    # encrypts password using
    # SHA-1 algorithm
    my $sha1 = Digest::SHA1->new;

    # reset algorithm
    $sha1->hexdigest;

    # encrypt
    my $secret = Digest::SHA1::sha1_hex($passwd . $salt);    

    #die "$uid, $dbsecret, $secret, $salt ";
    # does generated secret match database secret?
    if ($secret eq $dbsecret){
        return (1, $uid);
    }
    return (0, $uid);
}
1;
[download]

Neil Watson
watson-wilson.ca

Thanks, Neil for sharing that. I will take a closer look.


—Brad
"Don't ever take a fence down until you know the reason it was put up." G. K. Chesterton

To clarify, there are asymetric & symetric encryption algorithms, which is a seperate topic from hashes. Hashes are best defined as "one way" (you can hash it, but not unhash it), whereas encryption you can encrypt & decrypt it.

On the other point, correct, Digest::MD5 (or other hashing solutions) are best used here. The timing is amazing, check out a current post MD5 - what's the alternative that discusses that hashing question.

- jbWare