in reply to Re^7: encrypt passwords
in thread encrypt passwords

In summary, even you are admitting that without compromise, your only recourse is to tell your boss 'no'.

If that's your summary, you didn't read what I wrote.

You don't tell your boss: "No!". You tell your boss: "There are things we could do, but there is no point in doing them." And then you explain why.

You have offered no alternative

I have. Fix the authentication mechanism. Properly.

To get into the detail of how to go about that would require much more than your vague description.

Yes, someone who speaks Perl (or any of a dozen other C-like languages) will probably be able to hack the passwords if they have access to the module. But that does add a layer of knowledge required.

Sorry, but protecting against those with no skills is like wearing a pinafore in a war zone.

And offering obfuscation as security is tantamount to fraud.

With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
"Science is about questioning the status quo. Questioning authority". I'm with torvalds on this
In the absence of evidence, opinion is indistinguishable from prejudice. Agile (and TDD) debunked

Replies are listed 'Best First'.
Re^9: encrypt passwords
by marinersk (Priest) on Apr 18, 2015 at 01:43 UTC

    As usual, I have no particular argument with the facts you have presented; only that you are ignoring facts presented to you.

    You tell your boss the right way to fix it. He says,

          "Well, Mike Richardson owns that server. He set it up, his people maintain it, and we've asked him to change authentication to something which can be globalized. But he won't budge. And my management won't back me on trying to force him to change the way he does business -- it just isn't in our corporate culture.      
     
    However, they do have a bug up their behind about getting cleartext passwords out of this module.
     
    Short of revamping the entire system, which I cannot do, what can you do for me to meet this requirement?"

    So, esteemed BrowserUk, I ask you again -- laying out more fully what I suspect you were smart enough to know was my point all along -- what is your response in this hypothetical situation? Is this really the issue you'd really stand tall on and stake your career path, or would you be inclined to bend a little, and help your boss?

    And, assuming you don't choose to tender your resignation (or at least put the nail in the coffin of your future with this company), what would your approach be toward developing a solution for your boss?

    Which comes as close as I dare to presenting a condition which might require the assistance requested by the OP.

[reply]

      1. I'd tell him the truth.

        Depending upon my read of the situation and the man, I'd likely do it in the form of a formal report.

        If I felt it necessary, I'd copy his boss on it.

      2. I'd demonstrate that any pure Perl solution is trivially defeated with minimum effort and knowledge.

        I'd hide a password behind 3 levels of secure encryption, and run the script as:

        perl -d:Trace theScript.pl | find "DBI->connect"

        [download]

        And watch the decoded password pop into view.

      3. I'd then offer him a binary solution as a "stop gap" measure, to be used at his own risk.

        And I'd want pre-absolution for any and all failures; in writing, before I coded it.

      With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
      Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
      "Science is about questioning the status quo. Questioning authority". I'm with torvalds on this
      In the absence of evidence, opinion is indistinguishable from prejudice. Agile (and TDD) debunked
[reply]
[d/l]
[select]

        Okay. The depths to which you will go to stick to your guns on this surprises me just a bit; but, as usual, your answer is sound.

        All of this was hypothetical anyway, so it's definitely not worth the time I've dragged us into spending on it. Other than, perhaps, getting to know you a bit better, which I find valuable.

        I've had many points in my career where I stuck to my guns due to a fervent belief that a thing was important, so I certainly can't fault you for the trait.

[reply]

      What would your approach be to developing a solution for your boss to a problem for which a primary requirement of a solution is that there be no actual solution of the problem?

      One approach might be to forthrightly declare that there can be no solution to a problem which is required to have no solution. You then take the hit to your "future", such as it is, with this company.

      Another approach would be to deposit your personal and professional integrity alongside your boss's in the receptacle in which it now moulders, and confidently declare that the problem can, indeed, be solved by the application of sufficient snake oil — and you have just the snake oil needed. You then immediately start looking around for some co-worker whom you can set up to use as the fall-guy when the "solution" you will provide collapses in the face of the first real test of adversity it encounters. If you are sufficiently Machiavellian, you may, as poetic justice and for extra points, be able to set up your boss as the patsy. Be assured that your boss already has you marked down for this position!

      In any event, you start prospecting for the next step on your career path, recognizing that all the nails are already solidly hammered home in the coffin of your future with this benighted company. (And who's the president of this hypothetical outfit anyway? Tom Ripley?)

      Give a man a fish:  <%-(-(-(-<

[reply]
[d/l]

        All hits taken at full value. I cede the point.

[reply]

In Section Seekers of Perl Wisdom