Perl Monk, Perl Meditation | |
PerlMonks |
Password shtuffby ysth (Canon) |
on Dec 30, 2010 at 19:55 UTC ( [id://879861]=pmdevtopic: print w/replies, xml ) | Need Help?? |
Rough notes on a chatterbox discussion.
How about md5 crypts instead of password in the cookie? That would allow passwords > 8 chars (with a user table change). md5 may be too CPU expensive; needs to be tested. An md5 crypt certainly takes more time than a des crypt: one some machine the md5 crypt seems to take 5e-4 second, the des takes 1.3e-5 seconds. (comments about $3$/NT-hash) Instead of comparing hashed password in cookie to hash of clear password in database, store the hashed password in the database and the non-salt part of it in the cookie; authenticate cookies via string compare. Later, unhashed password will be eliminated. update user edit page to require the previous password in order to change the password have a real "password reset e-mail" feature
Back to
Inner Scriptorium
|
|