Re: CGI and saving passwords

Theres a simple, two part answer to this question.

The first part: Don't store username/password in cookies, instead store a simple session identifier. This session identifier should be a randomly created string of probably at least 10 characters so it's impossible for a person with a session to guess the identifier to some one elses session. Digest::MD5::md5_hex plus rand,$$ and time should probably suffice.

What the session idenfitier allows you is to store all of the "sensitive" data someplace on the server so the user accessing your website can't edit it or even see it.

The second part is to use crypt (or md5, or any other one way hashing function) to store hashed version of your passwords on the server. Then you take the plain text password submitted by the user, hash it, and compare it to the hashed version you have on disk. If it matches, the password is correct. The advantage to one way hashing functions, such as crypt is that theres no (known) way to get the plain text back from the hash, so even if other users can read the password file it won't do them any good. (This is how the /etc/passwd file basically works on linux installations (ignoring shadow passwords))

These two suggestions, combined, will probably give you just about the most security you can reasonably expect from using a "public" server you don't have full control over.

Comment on Re: CGI and saving passwords Select or Download Code

Replies are listed 'Best First'.
Re: Re: CGI and saving passwords by JoeJaz (Monk) on May 04, 2004 at 04:33 UTC
This looks like a good scheme and will be what I will work toward. Thanks for sharing your idea.	[reply]
Re: Re: CGI and saving passwords by freddo411 (Chaplain) on May 04, 2004 at 17:56 UTC
Great thread, and a great comment. ++ to parent. I would like to make one quibble. The intention of one way hashes is to have there be no known way to get the plain text back from the hash, but in the real world, evil people can be very clever, especially when there is a monetary reason to be so clever, or if someone claims "there is no way...". IANAH (I am not a hacker) but I know that many one-way hashing cracking programs are available. They can be surprisingly successful on realworld hashes (passwords). Consequently, please remember the following limitations to one way hashes. * Input strings should be 8 or more characters and should include numbers, symbols and capitol letters. (if not, it can more than likely be cracked). * Using words and names as part of your passwd weakens them considerably. Using only a word is like having no passwd. * Using "3" for e or "@" for a in your passwd won't help at all -- crackers know these tricks. Cheers ------------------------------------- Nothing is too wonderful to be true -- Michael Faraday	[reply]
Re: Re: Re: CGI and saving passwords by Anonymous Monk on May 05, 2004 at 01:44 UTC
it's true that there is nothing to stop someone from running a brute force attack on a one way hash. However, the reason that people are encouraged to occansionally use non-alphanumeric characters in passwords is simply to slow the cracker down. Using upper and lower case letters increases the number of possibilities from 26 to 52, using numbers increases it 62, using non-alphanumerics increases it again. All highly worthwhile practices. This is also the reason for having as many characters as possible in the input string and stay away from real words, both of these techniques slow down a cracker.	[reply]
Re: Re: Re: CGI and saving passwords by JoeJaz (Monk) on May 05, 2004 at 05:31 UTC
I found it quite amazing that one can find over 50MB of dictionary files on sites related to the "crack" program. I guess if you can think of a word, someone else has thought of it as well and included them in those lists. (not that I have used them in any other way than audits on my own system, but still impressive that someone has gone to the time to make those lists so large). Joe	[reply]
Re: Re: Re: Re: CGI and saving passwords by freddo411 (Chaplain) on May 05, 2004 at 18:51 UTC
The lists are so large because they include all regular words, plus every regular word with clever substitutions like s/e/3/g s/a/@/g s/l/1/g So the dictionary size grows like: orginal size * (Num of subs)^2 (I think I have that right). ------------------------------------- Nothing is too wonderful to be true -- Michael Faraday	[reply]