>>>>> "James" == James Kelty <[EMAIL PROTECTED]> writes:
James> Can anyone point out a good book that details the functionality
James> of perl and crypt()? I would like to have a cgi page that
James> allows new member to sign up, hold the info in a flat file, but
James> I would like to have the passwords encrypted. Any help would be
James> much appreciated! Thanks alot!
The basic strategy is:
my $username = "randal";
my $cleartext = "guessme"; # this is the password you want to protect
... adding user to password file
my $encrypted = crypt($cleartext, "zz");
open PASSWORDFILE ">>passwd" or die;
print PASSWORDFILE "$username:$encrypted\n"
close PASSWORDFILE;
... time passes
my $username = param('username'); # randal
my $guess = param('password'); # testing to see if it's "guessme"
my $encryptedpassword;
open PASSWORDFILE, "passwd" or die;
while (<PASSWORDFILE>) {
chomp;
my ($u, $e) = split /:/;
next if $u ne $username;
$encryptedpassword = $e;
last;
}
die "missing user" unless defined $encryptedpassword;
die "mismatch password"
unless crypt($guess, $encryptedpassword) eq $encryptedpassword;
.. he's good!
That last line is the big one. You store the *output* of crypt
into the file. You then compare the result of running crypt *again*
to what's in the file.
As for that salt parameter, ignore it. I just use "zz" or something.
In this day and age with fastcrypt implementations, having a varying
salt really doesn't add much to security.
Hope this helps... it took me a few minutes to compose. :)
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<[EMAIL PROTECTED]> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!