Re: Ecrypting passwords

crypt() is very similar to Linux passwords. I would use MD5 (better hash) or Crypt::Blowfish (reversible if you want to be able to email password reminders) but this is very simple to implement:

my $salt = 'Na';
print crypt( 'password', $salt ), $/;
print "Valid" if crypt( 'password', $salt ) eq 'Na3eD25AE5/zI';
[download]

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

Comment on Re: Ecrypting passwords Download Code

Replies are listed 'Best First'.
Re: Re: Ecrypting passwords by DrHyde (Prior) on Oct 06, 2003 at 08:35 UTC
If you want to send password "reminders", then because the user has forgotten their password you don't really need to be able to retrive their old password and send it to them. Just generate a new password for them.	[reply]
Re: Re: Re: Ecrypting passwords by zakzebrowski (Curate) on Oct 06, 2003 at 11:40 UTC
True... but there is still stuff to think about. How do you verify that the person is indeed the person you think you're sending the password to? Do you change the password immediatly as someone made the request, or do you wait to verify that the request was valid by verifiying the user through some other means... (If the person was on your site as the password was reset, this could be a bad thing...) Anyways, just a "thought exercise" first thing in the morning... Cheers. ---- Zak `undef$/;$mmm="J\nutsu\nutss\nuts\nutst\nuts A\nutsn\nutso\nutst\nutsh\ +nutse\nutsr\nuts P\nutse\nutsr\nutsl\nuts H\nutsa\nutsc\nutsk\nutse\n +utsr\nuts";open($DOH,"<",\$mmm);$_=$forbbiden=<$DOH>;s/\nuts//g;print +;` [download]	[reply] [d/l]
Re: Re: Re: Re: Ecrypting passwords by DrHyde (Prior) on Oct 06, 2003 at 14:01 UTC
How do you verify that the person is indeed the person you think you're sending the password to? There's no foolproof way of doing it if the user has forgotten the keys they need to authenticate with. Sending the new password to the email address the user registered with is good enough most of the time. Of course, if it were something like an online banking password, I'd get the customer to phone, maybe even have them go to their branch in person, and have a human authenticate them. (Let's not talk about how bad humans are at authenticating humans for now :-) Do you change the password immediatly as someone made the request, or do you wait to verify that the request was valid by verifiying the user through some other means. Depends on the circumstances. Most of the time, changing it immediately and notifying the customer by email is good enough. For some situations, you might want to email the customer to confirm that they want to reset their password. (If the person was on your site as the password was reset, this could be a bad thing...) Shouldn't matter, as no-one in their right mind would be sending the password across the wire with every HTTP transaction. They will instead have been given some token like a cookie to identify them for this session.	[reply]