On May 20, 2009, at 4:24 PM, Bill Ward wrote:
Over the years I've developed my own private Perl web login module.
It takes a username or email address and password, checks it against
the database, and creates the cookies. It has a 'forgot my
password' option which is reasonably secure (of course it assumes
that the email address of record is secure, but that's
unavoidable). It uses MD5 to store passwords so there's no
plaintext option, and I think it's "secure enough" for most Web
apps. I wrote the initial code many years ago and have been
tweaking it and adapting it but never released it as its own module,
which I'd like to finally get around to doing.
But I'm afraid I may have "missed a spot" security-wise and would
like someone who's a little more of an expert in that area to see if
they can find any holes in its design or implementation that would
be unacceptable.
Any takers?
I highly, highly recommend reading this article in detail:
http://www.matasano.com/log/958/enough-with-the-rainbow-tables-what-you-need-to-know-about-secure-password-schemes/
Some good takeaway lines are:
"No, really. Use someone else’s password system. Don’t build your
own."
"The problem is that MD5 is fast."
The post is in response to a security hole article on the popular
"Coding Horror" blog (by Jeff Atwood of StackOverflow fame).
"Rainbow Hash Cracking"
http://www.codinghorror.com/blog/archives/000949.html
"You're Probably Storing Passwords Incorrectly"
http://www.codinghorror.com/blog/archives/000953.html
"I Just Logged In As You: How It Happened"
http://www.codinghorror.com/blog/archives/001263.html
Chris
