Perl: the Markov chain saw | |
PerlMonks |
Re^3: Passing variable from one cgi to anotherby WoodyWeaver (Monk) |
on Jan 10, 2008 at 17:06 UTC ( [id://661659]=note: print w/replies, xml ) | Need Help?? |
lists of passwords stored, even if they are locked
Don't store lists of passwords. Store them encrypted. Share a secret between main.cgi and secimage.cgi. Encrypt and store in main; pull and decrypt in secimage. The project I am working on doesn't want a user to be able to easily copy the password and save it, or just copy and paste it into the login box The project is an ass. This is half-baked at best. Figure out the security controls that are required, and implement them. "Don't make it easy" is not a control. Presumably what you are trying to do is to require positive action to activate the thing this is password protecting, i.e. to force the user to take the protection of password seriously. Generating a password and then sending it to them is going to have the opposite action. I would strongly encourage review of the protocols by a security professional. --woody EDIT: Sorry, my tone is bad. One should never call a well meaning project an ass. I work in Fedspace, and recently had an encounter with a web project that went something like this:
Designer: We need a unique identifier. Lets ask the user for their social security number. Let me restate. Before designing the final solution, determine the actual requirements. Be aware of any unintended consequences of your solution. If your requirement is to 'fool the bots', i.e. to perform a turing test, be aware that this is not easy and that there are no great solutions today. Use of graphical captcha's carries a rather high cost, actually -- in the united states, about one person in ten has a vision defect, with about one in twenty suffering from red/green blindness. Graphical captchas will either disenfranchise large portions of your community or will require deployment of alternative strategies and probably help desk lines. Well, at least the advice to not store passwords in the clear is sound. :-)
In Section
Seekers of Perl Wisdom
|
|