Come for the quick hacks, stay for the epiphanies. | |
PerlMonks |
comment on |
( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
All this talk about encryption over the past few days has me second guessing myself. And because I'm still new at the security game, but not to flog a dead horse, I'm curious as to my methods. I write Perl for web CMS apps and forms processing. I'm using Crypt::CBC to 1) store passwords for database access and 2) admin page log-on. Currently: 1) Everytime Perl connects to MySQL db, the encrypted connect password, stored in the root (outside my public_docs) is decrypted using a key, also stored in a file in the root. This has been addressed, even by myself here and here, and I'm still okay with this scenario, though open to advice. More curious about... 2) A user enters a password in an non-secure (no SSL—which now has me nervous) HTML form. The Perl encrypts the password with a static key (again, stored in the root outside of my public_docs) and inserts it into a MySQL table of users. When they log in, the encrypted password is pulled from the db, decrypted, and compared with the log-in. 3) Future application: I want to encrypt larger amounts of text (several paragraphs of plain text) before storing in the database. Questions: Is #1 still sound? What are the hazards of #2, and what would be better? What are some approaches to #3? Found this but would like to know more about Digest::MD5 or others. Sorry for all the questions, could break it down into smaller ones, but that just drags this all out even further. Thanks! —Brad "Don't ever take a fence down until you know the reason it was put up." G. K. Chesterton In reply to What *are* the best ways to encrypt data? by bradcathey
|
|