Re: CGI Password

I'm not a security expert, but I can suggest a tip which I have used in similar projects such as yours, where security is more of just personal or family privacy as opposed to financial accounts, etc.... Use the crypt function to encrypt your password.

Basically crypting is one way (there is no uncrypt command), so you need to determine ahead of time the encrypted form of your password, which can be stored in the script or in a text file. Then when your user enters in the password, crypt the entry and compare the crypted version to whatever you have stored.

The advantage of this is that if someone sees your script or text file where the script was stored, he/she would only see a jumble of letters and numbers and not your password. Makes you feel more secure, because there is no direct easy way to uncrypt it.

The syntax to determine the crypted form ahead of time is something like this:

my $p = "howdy";
my $salt = substr($p,0, 2); #define salt however you want
my $crypted = crypt($p, $salt);
print "Crypted form of $p is $crypted\n";
[download]

Note that $salt is a 2-character variable that determines how $p is crypted. You can define it however you want, even hard code it, but just remember which $salt you use so you can get the same value later. Every perl book which I have read is quite vague about $salt. I suspect someone in PM will post the inner workings of salt and crypt....

So anyway, after I pre-determine what is the encrypted form of "howdy" (ho8dIXKikSTi2), I would just modify your script as follows:

my $p="ho8dIXKikSTi2"; #better than displaying actual password
my $password=param('password');

my $salt = substr($p,0, 2);
my $crypted = crypt($p, $salt);

if ($p eq $crypted) {
 #it worked
} else {
  #try again
}
[download]

If you notice, the first 2 letters of the encrypted version is $salt, which in my example is also the first 2 letters of your password. Which, personally, I think is still OK, because a password cracker is not going to know that. Of course, if your password is less than 3 characters, then this might be more of a problem?

If you eventually want to write your code such that you can change the password online, then store the encrypted password in a separate file.

I guess this crypting is also good in situations where users create their own passwords, where only the user, and not even the administator, could read the password.

Hope this helps.

Comment on Re: CGI Password Select or Download Code

Replies are listed 'Best First'.
Re (tilly) 2: CGI Password by tilly (Archbishop) on Mar 28, 2001 at 17:38 UTC
crypt is showing its age. Brute force cracking is now feasible. The basic idea is good, but I would recommend using Digest::MD5 instead. Add a "secret key" of your choice as a salt before computing the digest. UPDATE In response to arhuman, that is why I said to add a secret key as a salt. That can be of any length, and its purpose is to increase the searchspace so that brute force fails.	[reply]
Re: Re (tilly) 2: CGI Password by arhuman (Vicar) on Mar 28, 2001 at 17:46 UTC
Hehe, MD5 is aging too, it can now be cracked in hours (up to 6 char) or in few days for a longer password (8 char). Proof here. Try Digest::SHA1... UPDATE : In response to tilly IMHO SHA1 is a better choice beccause SHA1 seems more secure than MD5 (resists better to collision attack) and is SLOWER which is this case is an advantage as it renders brute force attack less effective (the time penalty is unoticeable for checking/creating ONE password, but is a real problem when you check thousands or more...) "Only Bad Coders Badly Code In Perl" (OBC2IP)	[reply]


Syntactic Confectionery Delight
	PerlMonks