Re: Crypt function
James == James Kelty [EMAIL PROTECTED] writes: James Can anyone point out a good book that details the functionality James of perl and crypt()? I would like to have a cgi page that James allows new member to sign up, hold the info in a flat file, but James I would like to have the passwords encrypted. Any help would be James much appreciated! Thanks alot! The basic strategy is: my $username = randal; my $cleartext = guessme; # this is the password you want to protect ... adding user to password file my $encrypted = crypt($cleartext, zz); open PASSWORDFILE passwd or die; print PASSWORDFILE $username:$encrypted\n close PASSWORDFILE; ... time passes my $username = param('username'); # randal my $guess = param('password'); # testing to see if it's guessme my $encryptedpassword; open PASSWORDFILE, passwd or die; while (PASSWORDFILE) { chomp; my ($u, $e) = split /:/; next if $u ne $username; $encryptedpassword = $e; last; } die missing user unless defined $encryptedpassword; die mismatch password unless crypt($guess, $encryptedpassword) eq $encryptedpassword; .. he's good! That last line is the big one. You store the *output* of crypt into the file. You then compare the result of running crypt *again* to what's in the file. As for that salt parameter, ignore it. I just use zz or something. In this day and age with fastcrypt implementations, having a varying salt really doesn't add much to security. Hope this helps... it took me a few minutes to compose. :) -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 [EMAIL PROTECTED] URL:http://www.stonehenge.com/merlyn/ Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Re: Crypt function
On Wed, Jun 27, 2001 at 08:49:55AM -0700, James Kelty wrote: Can anyone point out a good book that details the functionality of perl and crypt()? I would like to have a cgi page that allows new member to sign up, hold the info in a flat file, but I would like to have the passwords encrypted. Any help would be much appreciated! Thanks alot! I normally use Digest::MD5 for this kind of thing. The module, like most others, is available from CPAN. #!/usr/bin/perl -w use Digest::MD5 qw(md5_hex); use strict; my $secret_password=foobarqux; my $digest=md5_hex($secret_password); This is not really encryption as it's a one-way function. You can't reverse the procedure to find the password from the digest so to authorise your users you will need to perform the digest function on the password they've supplied and compare it with the stored string. Be wary of passing passwords over http as they can be sniffed, https would be preferred. There's probably better ways of authenticating users. I would be glad to learn them from any of the real programmers on the list. :) Regards. EbGb.
Re: Crypt function
Randal L. Schwartz [EMAIL PROTECTED] writes: my $encrypted = crypt($cleartext, zz); . As for that salt parameter, ignore it. I just use zz or something. In this day and age with fastcrypt implementations, having a varying salt really doesn't add much to security. Having a better salt (the two characters zz) helps prevent casual or accidental browsing (say, by the sysadmin) from revealing that two users have the same password. While this only adds minimal security, it's worth the minimal effort to avoid that problem. You can use the first (or last) two characters of the username for a simple salt: my $encrypted = crypt($cleartext, substr($username, -2, 2)); The brief documentation for crypt is available (among other places) at: http://www.perl.com/pub/doc/manual/html/pod/perlfunc/crypt.html [EMAIL PROTECTED] adds: I normally use Digest::MD5 for this kind of thing. The module, like most others, is available from CPAN. #!/usr/bin/perl -w use Digest::MD5 qw(md5_hex); use strict; my $secret_password=foobarqux; my $digest=md5_hex($secret_password); This is not really encryption as it's a one-way function. You can't reverse the procedure to find the password from the digest so to authorise your users you will need to perform the digest function on the password they've supplied and compare it with the stored string. I'll second this recommendation. To avoid the same password issue described above, it's slightly better to append the username when computing the hash, as in: my $digest = md5_hex($secret_password . $username); You may want to require a minimum password length or check for obvious passwords. Also, consider using SSL for the CGI script to prevent the password from being sniffed during transmission to your server. Consult with a security expert if you need more than basic security on your site. + Richard J. Barbalace