Kiko has asked for the wisdom of the Perl Monks concerning the following question: 

Hey,

I wrote a scipt that allows a user to login with a password.
The only problem is that other people have access to the
file that contains the user name and password. Therefore,
i'm trying to encrypt the user name and password in that
same file.

Please Help!

Thanks,
Kiko

[download]

Replies are listed 'Best First'.
Re: Encrypting a user name and password
by Corion (Patriarch) on Jun 21, 2000 at 19:40 UTC

    As long as other people also have write-access to the file, there is no way you can keep the login information safe. Both, your password-checking Perl code and the file it reads are open to the users for manipulation, so there is no safety.

    If the other people only have read-access, you can gain some limited "security" by using the crypt() subroutine and storing only the crypted passwords instead of the plaintext passwords. A user is then accepted if his crypted password equals the crypt you have stored in your file.

    Another stupid idea would be to encrypt the whole file, stupid because a black hat would only need to look shortly at your Perl code to see what the decryption parameters are. If the stored file is not safe, neither is your Perl program.

[reply]
RE: Encrypting a user name and password
by Shendal (Hermit) on Jun 21, 2000 at 19:41 UTC
    What you want to look at is crypt.

    Simply encrypt the password when you write it to the file. When the user logs in, crypt it, and compare this against your previously stored (and encrypted) string.

    HTH,
    Shendal
[reply]
RE: Encrypting a user name and password
by Ovid (Cardinal) on Jun 22, 2000 at 02:20 UTC
    Don't forget to have this on a secure server. If someone really wants to hack you, passwords sent as plain-text are going to kill you.

    "My mistress deceives me. So what?
    I'd rather be lied to than ignored." Publius Ovidius Naso (Ovid)

[reply]
Re: Encrypting a user name and password
by KM (Priest) on Jun 22, 2000 at 03:45 UTC
    Maybe I am missing something with this, but if you use one way encrytion (crypt(), DES, MD5,etc..) they will not see any passwords. What you then do, is take the password provided by the user, encrypt it with whatever scheme you are using, and see if that encrypted mess matches what is in the file. This is not a new concept :)

    Cheers,
    KM

    UPDATE: I am sitting here with Japhy (not j.a.p.h.) and was saying how I don't understand why I see some of the answers I do, and showed him this question. He has a longer explination here on what I just said.

[reply]
RE: Encrypting a user name and password
by BigJoe (Curate) on Jun 22, 2000 at 03:11 UTC
    You can also make the script chmod +x script.pl to ensure that users can't see how you crypt and decrypt. Another thing is to try putting the password file with the encrypted passwords into another directory that has different permissions.

    --BigJoe
[reply]

Back to Seekers of Perl Wisdom