Storing passwords in a DB

dstar has asked for the wisdom of the Perl Monks concerning the following question:

I'm working on a website which is built from information stored in a back-end DB. Part of that information includes membership info; Username and Password. I don't wish to simply store the password in plain text in the DB, for obvious reasons. Ideally, I'd prefer not to have it passed in plain text across the network.

It's been a couple of years since I did any web development stuff. I'm using HTML::Mason, Apache, and mod_perl.

What are my options, and where's the FM for *good* web development like this?

Comment on Storing passwords in a DB

Replies are listed 'Best First'.
Re: Storing passwords in a DB (MD5) by enoch (Chaplain) on Aug 13, 2001 at 21:41 UTC
Use the tried and true hash comparison method. Send the username/password pair over the wire encrypted with SSL so no one can sniff it. In the Perl script that grabs this variable, MD5 the password and insert/compare it to the database. Jeremy	[reply]
Re: Re: Storing passwords in a DB (MD5) by dstar (Scribe) on Aug 13, 2001 at 22:31 UTC
I was hoping I could avoid SSL, so I could avoid the certificate thing. Ah well. Thanks.	[reply]
Re: Re: Storing passwords in a DB (MD5) by magikstik! (Initiate) on Jul 12, 2007 at 12:34 UTC
Well it will be encrypted but that doesn't necessarily doesn't mean it won't be sniffed out, it may contain garbled trash. besides having a sniffer anywhere on your box isn't a good thing anyway	[reply]
Re: Storing passwords in a DB by maverick (Curate) on Aug 13, 2001 at 22:45 UTC
Since you want to avoid SSL, try this. Store the passwords in the db MD5 encrypted. Use a piece of JavaScript (shudder) like this one to MD5 the user's password BEFORE it is sent back to the server. I've not tested this JavaScript code, but it doesn't appear to contain any browser dependant things. /\/\averick perl -l -e "eval pack('h*','072796e6470272f2c5f2c5166756279636b672');"	[reply]
Re: Re: Storing passwords in a DB by dstar (Scribe) on Aug 13, 2001 at 23:52 UTC
Unfortunately, the website needs to be available to lynx and other browser users, so no javascript for me. :( I guess I'll look at SSL.	[reply]
Re: Storing passwords in a DB by suaveant (Parson) on Aug 13, 2001 at 22:13 UTC
If you are using mysql as a back-end DB it has some builtin functions that may be useful Here otherwise maybe your DB has similar ones (assuming a relational DB and not GDBM) - Ant - Some of my best work - Fish Dinner	[reply]