http://qs321.pair.com?node_id=297210


in reply to Ecrypting passwords

I really appreciate all the advice I've been given. Not sure what the proper way is to respond to so many people all at once so I'll just try this. If it doesn't fly, I'd like a pointer on the right way ;)



I temporarily installed and ran PerlDiver to see what modules I have available to me. I have MD5 but not SHA1. I guess I'll have to dig in and get that installed. Currently, there's a bug (not written by me :p) that actually allows registered users no password for their login! Needless to say, I was kind of surprised at this design choice, but oh well. There's a second ID hash in the cookie that ties the user in with the ID, but it isn't actually used to validate users the same way a login/password does. That's going to get fixed ASAP. At this moment, I don't really care if I implement MD5, install SHA1 then switch over. Registration is going to require a valid eMail and new passwords can easily be sent out. Which brings me to my next point, the thought of decrypting passwords and sending them out if people forget never actually occurred to me. But as I think about it, it's probably best to go with one way hashes and send out new passwords to valid eMail accounts any ways.
Unfortunately, I still haven't figured out how to create a secured SSL connection to the site. But I figure it's only a matter of time, a lot of searches, and reading before I come across the answer. If only I can stay focused and not be distracted so easily. Hey, look what I found on eBay!



Actually the script will likely be running as the web server default user so anyone that hacks the server via a badly coded CGI will have access to that dir.
Sadly, I don't have any books on that topic. Or rather, they cover CGI security rather vaguely. What constitutes a badly written CGI and how might I find out? I've usually written things that are used internally where the source code is open (i.e. not mine) and never released to the public. So software security was a topic that never really came up. Is there a decent site or book that you recommend I can study up on this? I'll do a search on Perl Monks to see what bubbles up. Thanks for bringing that to my mind, I would've forgotten during the data conversion. Actually, to tell the truth, I did forget. :-\



Thanks for all the suggestions and heads up. It seems I forgot more than a thing or two about things I should've been thinking about. Well... that's what's so great about Perl Monks. That and all those brains I can poke at.

Is it fair to stick a link to my site here?

Thanks for you patience.

Replies are listed 'Best First'.
Re: Re: Ecrypting passwords
by Molt (Chaplain) on Oct 08, 2003 at 10:04 UTC

    A nice place to look for web application security is the Open Web Application Security Project which as well as having a nice guide as to what the major flaws in many such systems are also have a program (In Java) called WebGoat which pretty much takes you through common exploits as you try them on a test server. In my opinion this helps you understand the issues on an intuitive level and to avoid allowing such holes into your own code.

    Another useful resource with some Perl-specific hints is the W3 Security FAQ, which when used in conjunction with the above and a good knowledge of generally reliable coding strategies should stand you in good stead.