in reply to Best way to hide passwords.
If you're using a '.htpasswd' style system, use MD5
crypt instead of DES. MD5 is much harder to
crack than the simple DES encryption used by default,
and it's perfectly compatible, at least when it comes to
using Perl and crypt(). More on that in a second.
If you are storing passwords on your system, you want to ensure that even if the file should fall into the wrong hands, there is no easy way into your system. This is effected by having the passwords stored encrypted, just like they are in the UNIX '/etc/passwd' file (or, '/etc/shadow' which is more common these days). Since the passwords are sent via HTTP or a cookie, or some other mechanism in a non-encrypted way (even over "encrypted" SSL, they are decrypted into plain-text by the server for authentication), the encrypted passwords are no use since you still don't know the password to gain access.
As distributed.net proved, DES encryption is quite flimsy and hardly provides any security at all. You should use MD5 instead, which is a much more robust algorithm.
The trick to using MD5 instead of DES is in how you supply the "salt" to the crypt() function. If you follow the docs, you would supply two random letters. For MD5, you use eight, which allows for more variations when it is stored encrypted, which translates into better security.
Here's a standard-issue MD5 salt generator:
If you are using a database, such as MySQL, you could use the built-in PASSWORD() function which does the encryption for you. Or, you could use your own. It depends on the security of your application.
What you should not ever do is store passwords as plain-text. So, yes, encrypt the passwords in the file, but don't bother encrypting the whole file.
If you are storing passwords on your system, you want to ensure that even if the file should fall into the wrong hands, there is no easy way into your system. This is effected by having the passwords stored encrypted, just like they are in the UNIX '/etc/passwd' file (or, '/etc/shadow' which is more common these days). Since the passwords are sent via HTTP or a cookie, or some other mechanism in a non-encrypted way (even over "encrypted" SSL, they are decrypted into plain-text by the server for authentication), the encrypted passwords are no use since you still don't know the password to gain access.
As distributed.net proved, DES encryption is quite flimsy and hardly provides any security at all. You should use MD5 instead, which is a much more robust algorithm.
The trick to using MD5 instead of DES is in how you supply the "salt" to the crypt() function. If you follow the docs, you would supply two random letters. For MD5, you use eight, which allows for more variations when it is stored encrypted, which translates into better security.
Here's a standard-issue MD5 salt generator:
It is used just like always:my (@chars) = ('a'..'z','A'..'Z','0'..'9','.','/'); sub md5_salt { my ($return) = '$1$'; $return .= $chars[rand($#chars+1)] foreach (0..7); return $return; }
So you get passwords that are encrypted like:$encrypted_passwd = crypt($passwd, md5_salt()); # For testing... if (crypt($passwd_guess,$passwd_encrypted) eq $passwd_encrypted) { # Got it. }
Which are, incidentally, all the same password ('shjdajksds') with different "salt".$1$1PUXLuZE$P.LfclRO9SKqTf2BQK.yD1 $1$t7AJPueY$1ivH/pIhxnjEIx10QzaIi. $1$lvWzTNnn$JFsfy9ALLJS3Dpi4OHMVo1
If you are using a database, such as MySQL, you could use the built-in PASSWORD() function which does the encryption for you. Or, you could use your own. It depends on the security of your application.
What you should not ever do is store passwords as plain-text. So, yes, encrypt the passwords in the file, but don't bother encrypting the whole file.
|
|---|
| Replies are listed 'Best First'. | |
|---|---|
|
Re: Re: Best way to hide passwords.
by dvergin (Monsignor) on Mar 06, 2001 at 05:12 UTC |
In Section
Seekers of Perl Wisdom