I have a database which stores an MD5 digest of the user's password. Here's the method which creates the digest:
sub create_digest_from_password { my ( $self, $pass ) = @_; my $md5 = new Digest::MD5; $md5->add( $pass ); $md5->add( $self->{ _salt } ); $md5->b64digest; }
This method has worked fine. However, I now have a method that two other programmers are using that allows them to update the password in the database. How can I ensure that they are only putting in an MD5 digest and not the plaintext password? I could test on length (the base 64 digest is exactly 22 characters), but that won't work if someone creates a password that is 22 characters long.
The actual method call that they use looks like this:
my $sec = Foo::Security->new; my $success = $sec->update_admin_user( { user => 'bboop', first_name => 'Betty', last_name => 'Boop', password => $enc_passwo +rd } );
user is mandatory, all other fields are optional, though at least one other must exist. I could easily modify the method so that the password key has a plaintext password and the method encrypts it. That would mean that the programmer doesn't have to worry about it, but then I have the reverse problem: how do I ensure that they passed a plaintext password and not the MD5 digest?
Is this an issue that can be solved programmatically or is this simply a training issue? I'd like to solve this programatically, if possible, because I have no control over who is going to maintain this code in the future.
Cheers,
Ovid
Vote for paco!
Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.
In reply to MD5 Password Validation by Ovid
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |