Curtis,
Maybe this is a dumb question from the encryption-ignorant, but why wouldn't
you want $rand to change? I would think that the more randomness you
introduce, the more effective the encryption. I am aware that the idea of a
hash function is ideally twofold: The original values should be effectively
impossible (or just very very difficult) to derive from the hash, and small
changes in the input data should (I believe) cause large changes in the hash
value. Please correct me if I've got a fundamental misunderstanding here,
because I have just enough knowledge to make a fool of myself.
David T. Kuchler
Technical Configurator
Pioneer Standard Electronics
[EMAIL PROTECTED]
-----Original Message-----
From: Curtis Poe [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 13, 2001 7:33 PM
To: scott lutz; [EMAIL PROTECTED]
Subject: Re: Form - Password security
--- scott lutz <[EMAIL PROTECTED]> wrote:
> I am wondering if anyone has any experience with the Rot13.pm?
> I am looking for a module to encrypt the log-in password from a form, and
am
> unfamiliar with all of the modules on CPAN, and so am looking for some
> feedback.
All Rot13 does is 'rotate' your characters by 13 letters in the alphabet.
It's a simple
substitution cypher.
Once the login password is submitted from a form (over a secure server, one
hopes), what you
should do is encrypt with with a one-way hash and compare that value to what
is in the database.
The following program is *incomplete*!!! It just shows how to encrypt the
password:
#!/usr/bin/perl -w
use strict;
use Digest::MD5 qw ( md5_base64 );
my $rand = 'yed*73=1/+#@%d';
my $pass = 'secret';
my @data = ($rand, $pass);
my $encrypted_pass = md5_base64( @data );
That should set $encrypted_pass to "XDq+aqniyiWLTcwMMAV7qg" (without the
quotes).
The idea is simple: when someone has a username/password combination
created, you hash the
password and save the hash in the database. If someone gets access to the
database, they won't
see plaintext passwords. Of course, $rand should be VERY random and should
not change.
Subsequent logins regenerate the hash and compare that value to what is in
the database.
If the user loses their password, you won't be able to give it to them.
You'll need to recreate
it.
For added security, use Digest::SHA1 instead. It's a little slower, but
more secure.
Cheers,
Curtis Poe
=====
Senior Programmer
Onsite! Technology (http://www.onsitetech.com/)
"Ovid" on http://www.perlmonks.org/
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
