-----Original Message-----
From: Arul, Rex
Sent: Tuesday, October 02, 2001 4:43 PM
To: 'Barry McClintock'
Cc: '[EMAIL PROTECTED]'
Subject: RE: Storing a Decryptable Password?
By using Perl Development Kit of Activestate Corp:
http://aspn.activestate.com/ASPN/Downloads/PDK/
-----Original Message-----
From: Barry McClintock [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 02, 2001 4:33 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Storing a Decryptable Password?
how do you write a Perl DLL?
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 02, 2001 4:22 PM
To: [EMAIL PROTECTED]
Subject: FW: Storing a Decryptable Password?
Also, I forgot to mention about the following options, since I thought
Morbus wanted encryption/decryption capabilities. If all your concern is to
just store 'some function of a plain text password' without any need for
decrypting it back (One-way encryption), then you can use the glorious
modules of Perl: DIGEST::SHA1 (160 bits) or DIGEST::MD5(128 bits).
This would produce the message digests which can be stored in the database.
Nobody should mathematically be possible to guess the password with 1 in 2
power 160 chances. You can even try to use some function of username and
password or just password alongwith the password itself to be fed into the
factory classes of DIGEST to get the password you want.
If you want to authenticate the user, you can still do by comparing the
password digests without the need to decrypt them.
Thanks,
Rex
-----Original Message-----
Read this article, which implements RC4 Symmetric encryption in VBScript.
http://www.4guysfromrolla.com/webtech/010100-1.shtml
I mimicked the idea by creating a Perl DLL which would encrypt a plain-text
password. The logic behind a symmetric encryption is that you provide a key
which would encrypt a plain-text password to an encrypted string. When you
pass the encrypted string to the encrypting engine, with the same key you
used to encrypt, you get the decrypted string back.
Now, what can be the key for your problem? Just treat the user's password
itself as the key that would hash itself. So if the user's password is :
rexarul, you encrypt it to some junk string using rexarul as the key.
This way, you need not ask the user again to type his/her key.
This works.
-- Rex
-----Original Message-----
From: Morbus Iff [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 02, 2001 4:09 PM
To: [EMAIL PROTECTED]
Subject: Storing a Decryptable Password?
I have a need to store a user's password in a configuration file:
- the password should NOT be in plain text.
- the password should be decryptable so that we
don't have to ask the user each time (as per
the common Unix crypt ideal).
Any ideas? There's always the cheap sort of rot13, binary, decimal sort of
madness, but I was looking for something a bit more "hard to deciper at a
glance". I know the inherent risks with having a decryptable, but I'll take
those over the obvious risks of plaintest stored passwords.
Thoughts?
--
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
