jcpunk has asked for the wisdom of the Perl Monks concerning the following question:

I am writing a perl script to do user authentication and was wondering, what sort of taint check should be done on a password?

Any thoughts?

Replies are listed 'Best First'.
Re: Taint checks on passwords?
by hardburn (Abbot) on Jun 04, 2003 at 15:49 UTC

    Take a look at Data::Password.

    ----
    I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident.
    -- Schemer

    Note: All code is untested, unless otherwise stated

[reply]
      Another password checking option, employing the well known and tested cracklib library, is the Crypt::Cracklib module. The synopsis for this module outlines usage of this module in a very clear and succinct manner.

      Further information on the cracklib can be found at the library homepage at http://www.crypticide.org/users/alecm/.

       

      perl -le 'print+unpack"N",pack"B32","00000000000000000000001001100111"'

[reply]
[d/l]
[select]
Re: Taint checks on passwords?
by jcpunk (Friar) on Jun 04, 2003 at 15:54 UTC
    I phrased my question poorly, I need to use this password (gotten from the web) to log in to a users account, but because I am parinoid I am useing -T but I need to use this data on the shell and hence it is tainted, what sort of regular expression can be run on a password other then (.*) as it feels weird to use that in a script that is supposed to do authentication......
[reply]
      Most systems implement passwords that only allow letters and numbers. In this case, a decent taint check would be: 
      my ($checked) = $submitted =~ m/^([a-zA-Z0-9])$/;
if (!defined $checked) { croak "Invalid name or password.\n" }

      [download]
      I am actually basing this on what I remember from reading said tutorial by Ovid, where you don't specify what you don't want (which is complicated) but rather specify only what you DO want, and your error message does not give away TOO much information about what went wrong to the user.
[reply]
[d/l]

        Most systems implement passwords that only allow letters and numbers. In this case, a decent taint check would be: 

                my ($checked) = $submitted =~ m/^([a-zA-Z0-9])$/;
        if (!defined $checked){
          croak "Invalid name or  password.\n"
        }

        [download]

        Almost right.
        Most systems allow users to enter passwords that matches with

        /[a-zA-Z_0-9\(\)\[\]\{\}\+\=\-\\\/\*]{$MinPwLen,$MaxPwLen}/

        [download]

        I would use something like this to untaint a password.

        Where:

        $MinPwLen is the minimal password size in chars.

        $MaxPwLen is the maximal (if any maximal is needed password size in chars.

        Note: Don't forget to document and tell your users about what characters are valid to compose a password. This is very important.

        Note 2:Keep this kind of information away from evil internet script-kidies, they can use this to narrow a dictionary-like attack and break into your system faster.

        May the gods bless you

        =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
        Just Another Perl Monk

[reply]
[d/l]
[select]
      I am useing -T but I need to use this data on the shell and hence it is tainted, what sort of regular expression can be run on a password other then (.*) as it feels weird to use that in a script that is supposed to do authentication......
      Check out Ovid's excellent CGI course for an approach to CGI security when using the shell to run commands which vary based on user input.
[reply]

Back to Seekers of Perl Wisdom