Randal L. Schwartz [EMAIL PROTECTED] writes:
my $encrypted = crypt($cleartext, zz);
.
As for that salt parameter, ignore it. I just use zz or something.
In this day and age with fastcrypt implementations, having a varying
salt really doesn't add much to security.
Having a better salt (the two characters zz) helps prevent casual or
accidental browsing (say, by the sysadmin) from revealing that two
users have the same password. While this only adds minimal security,
it's worth the minimal effort to avoid that problem. You can use the
first (or last) two characters of the username for a simple salt:
my $encrypted = crypt($cleartext, substr($username, -2, 2));
The brief documentation for crypt is available (among other places) at:
http://www.perl.com/pub/doc/manual/html/pod/perlfunc/crypt.html
[EMAIL PROTECTED] adds:
I normally use Digest::MD5 for this kind of thing. The module, like most
others, is available from CPAN.
#!/usr/bin/perl -w
use Digest::MD5 qw(md5_hex);
use strict;
my $secret_password=foobarqux;
my $digest=md5_hex($secret_password);
This is not really encryption as it's a one-way function. You can't reverse
the procedure to find the password from the digest so to authorise your users
you will need to perform the digest function on the password they've supplied
and compare it with the stored string.
I'll second this recommendation. To avoid the same password issue
described above, it's slightly better to append the username when
computing the hash, as in:
my $digest = md5_hex($secret_password . $username);
You may want to require a minimum password length or check for
obvious passwords. Also, consider using SSL for the CGI script to
prevent the password from being sniffed during transmission to your
server. Consult with a security expert if you need more than basic
security on your site.
+ Richard J. Barbalace