I'm not a security expert, but I can suggest a tip which I have used in similar projects such as yours, where security is more of just personal or family privacy as opposed to financial accounts, etc.... Use the crypt function to encrypt your password.

Basically crypting is one way (there is no uncrypt command), so you need to determine ahead of time the encrypted form of your password, which can be stored in the script or in a text file. Then when your user enters in the password, crypt the entry and compare the crypted version to whatever you have stored.

The advantage of this is that if someone sees your script or text file where the script was stored, he/she would only see a jumble of letters and numbers and not your password. Makes you feel more secure, because there is no direct easy way to uncrypt it.

The syntax to determine the crypted form ahead of time is something like this:
my $p = "howdy";
my $salt = substr($p,0, 2); #define salt however you want
my $crypted = crypt($p, $salt);
print "Crypted form of $p is $crypted\n";

[download]

Note that $salt is a 2-character variable that determines how $p is crypted. You can define it however you want, even hard code it, but just remember which $salt you use so you can get the same value later. Every perl book which I have read is quite vague about $salt. I suspect someone in PM will post the inner workings of salt and crypt....

So anyway, after I pre-determine what is the encrypted form of "howdy" (ho8dIXKikSTi2), I would just modify your script as follows:
my $p="ho8dIXKikSTi2"; #better than displaying actual password
my $password=param('password');

my $salt = substr($p,0, 2);
my $crypted = crypt($p, $salt);

if ($p eq $crypted) {
 #it worked
} else {
  #try again
}

[download]
If you notice, the first 2 letters of the encrypted version is $salt, which in my example is also the first 2 letters of your password. Which, personally, I think is still OK, because a password cracker is not going to know that. Of course, if your password is less than 3 characters, then this might be more of a problem?

If you eventually want to write your code such that you can change the password online, then store the encrypted password in a separate file.

I guess this crypting is also good in situations where users create their own passwords, where only the user, and not even the administator, could read the password.

Hope this helps.

In reply to Re: CGI Password by fpi
in thread CGI Password by bmhm

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.