Syntactic Confectionery Delight | |
PerlMonks |
Re: CGI Passwordby fpi (Monk) |
on Mar 28, 2001 at 12:13 UTC ( [id://67775]=note: print w/replies, xml ) | Need Help?? |
I'm not a security expert, but I can suggest a tip which I have used in similar projects such as yours, where security is more of just personal or family privacy as opposed to financial accounts, etc.... Use the crypt function to encrypt your password. Basically crypting is one way (there is no uncrypt command), so you need to determine ahead of time the encrypted form of your password, which can be stored in the script or in a text file. Then when your user enters in the password, crypt the entry and compare the crypted version to whatever you have stored. The advantage of this is that if someone sees your script or text file where the script was stored, he/she would only see a jumble of letters and numbers and not your password. Makes you feel more secure, because there is no direct easy way to uncrypt it. The syntax to determine the crypted form ahead of time is something like this:
Note that $salt is a 2-character variable that determines how $p is crypted. You can define it however you want, even hard code it, but just remember which $salt you use so you can get the same value later. Every perl book which I have read is quite vague about $salt. I suspect someone in PM will post the inner workings of salt and crypt.... So anyway, after I pre-determine what is the encrypted form of "howdy" (ho8dIXKikSTi2), I would just modify your script as follows: If you notice, the first 2 letters of the encrypted version is $salt, which in my example is also the first 2 letters of your password. Which, personally, I think is still OK, because a password cracker is not going to know that. Of course, if your password is less than 3 characters, then this might be more of a problem? If you eventually want to write your code such that you can change the password online, then store the encrypted password in a separate file. I guess this crypting is also good in situations where users create their own passwords, where only the user, and not even the administator, could read the password. Hope this helps.
In Section
Seekers of Perl Wisdom
|
|