Randal L. Schwartz <[EMAIL PROTECTED]> writes:
> my $encrypted = crypt($cleartext, "zz");
> .....
> As for that salt parameter, ignore it. I just use "zz" or something.
> In this day and age with fastcrypt implementations, having a varying
> salt really doesn't add much to security.
Having a better salt (the two characters "zz") helps prevent casual or
accidental browsing (say, by the sysadmin) from revealing that two
users have the same password. While this only adds minimal security,
it's worth the minimal effort to avoid that problem. You can use the
first (or last) two characters of the username for a simple salt:
my $encrypted = crypt($cleartext, substr($username, -2, 2));
The brief documentation for crypt is available (among other places) at:
http://www.perl.com/pub/doc/manual/html/pod/perlfunc/crypt.html
[EMAIL PROTECTED] adds:
> I normally use Digest::MD5 for this kind of thing. The module, like most
> others, is available from CPAN.
>
> #!/usr/bin/perl -w
>
> use Digest::MD5 qw(md5_hex);
> use strict;
>
> my $secret_password="foobarqux";
> my $digest=md5_hex($secret_password);
>
> This is not really encryption as it's a one-way function. You can't reverse
> the procedure to find the password from the digest so to authorise your users
> you will need to perform the digest function on the password they've supplied
> and compare it with the stored string.
I'll second this recommendation. To avoid the same password issue
described above, it's slightly better to append the username when
computing the hash, as in:
my $digest = md5_hex($secret_password . $username);
You may want to require a minimum password length or check for
"obvious" passwords. Also, consider using SSL for the CGI script to
prevent the password from being sniffed during transmission to your
server. Consult with a security expert if you need more than basic
security on your site.
+ Richard J. Barbalace
