You first have to tell us what you want to secure from who or what? The password from someone getting an account on your website server or the data from someone getting a password to a website account? Do you want the script to use the same user and password for the second website irrespective of the user accessing the first one or should there be multiple users for both websites with a 1:1 relationship ?
If you want to enter a password at the first website and from this password should be generated a password for the second site, so that you don't need to store any clear text passwords on the first website, then you can use any hash algorithm like md5. Naturally an attacker logged in as root on your website server can just change your script to print out the cleartext password to a file after it is calculated, but he won't get all passwords and he needs to wait for someone logging in
If you just want to guard one password form other non-root users on your webserver, just make the script non-world-readable or store the password in a file only readable to the webserver-user account (often 'www-data' for apache). You could obfuscate the password a little by having your script transform it before using it, but that is a minor hindrance to anyone who aquired root or webserver-user account rights
If you want to guard the password (not the data) of the second webserver from someone who aquired a password from your first webserver through sniffing, then adding a local fixed password to the md5 of the password should work well. Without an account on your webserver to get that fixed password the attacker has no chance to calculate the password on the second server
Sorry, english is not my first language, this may be difficult to understand.
In reply to Re: CGI Questions
by jethro
in thread CGI Questions
by Anonymous Monk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |