Re: Re: User, Encrypting Passwords and validating

Yeah good point actually. I guess im trying to never store the users password in either the file or in the cookie. Just trying to figure out now to do it, so if anyone hacks either the cookie or the file, they'll never end up getting the original password. Thanks! that's helped

ThAtH0M

Comment on Re: Re: User, Encrypting Passwords and validating

Replies are listed 'Best First'.
Re: Re: Re: User, Encrypting Passwords and validating by cees (Curate) on Feb 07, 2004 at 18:48 UTC
I guess im trying to never store the users password in either the file or in the cookie. That is usually accomplished by only storing a one way hash of the password. This is how the Unix passwd/shadow file stores passwords. You can check to see if a supplied password is valid by hashing it again and comparing it against what is stored. `if (crypt($password, $storedpwd) ne $storedpwd) { die "Sorry...\n"; } else { print "ok\n"; }` [download] You mentioned that you don't want to use external modules, so I showed an example using the built in 'crypt' function (see 'perldoc -f crypt' for more info), but it would be more secure to use SHA1 or MD5 hashes. - Cees	[reply] [d/l]

Replies are listed 'Best First'.

Re: Re: Re: User, Encrypting Passwords and validating
by cees (Curate) on Feb 07, 2004 at 18:48 UTC

I guess im trying to never store the users password in either the file or in the cookie.

That is usually accomplished by only storing a one way hash of the password. This is how the Unix passwd/shadow file stores passwords. You can check to see if a supplied password is valid by hashing it again and comparing it against what is stored.

if (crypt($password, $storedpwd) ne $storedpwd) {
  die "Sorry...\n";
} else {
  print "ok\n";
}
[download]

You mentioned that you don't want to use external modules, so I showed an example using the built in 'crypt' function (see 'perldoc -f crypt' for more info), but it would be more secure to use SHA1 or MD5 hashes.

- Cees

[reply]
[d/l]