Securing program executing with Md5-hash

mellin has asked for the wisdom of the Perl Monks concerning the following question:

Here's the drill. I've been playing around with my script that reads Internet Explorer Favorites files and processes them through xhtml template file. With the help of some forums (including this one!) i have managed to implement some useful features to it. I'm still seeking one to add and that special one is password protection. I have this idea that .htaccess files are not that good idea after all, or so i've heard. I was thinking using cookie to store an encrypted password on users (that'll be me for now) computer, and checking with the script does it match with password stored on the server. I was thinking just plain text-file with the password encrypted same way as in the cookie. The password would be sent to the perl-script with normal html input-element through POST-method. I know that password then gets sended in plain, readable form, but it's better than nothing for now. This is a code i got from one forum:

my $cleartext = whatever();
my $salt = '$1$';
$salt .= ('A' .. 'Z', 'a'..'z', '0'..'9', '.', '/')[rand 64] for 1..8;
my $crypted = crypt $cleartext, $salt;

# verifying password
my $cleartext = whatever();
my $crypted = getfromdb();

if (crypt($cleartext, $crypted) eq $crypted) {
    # correct password
}
else {
    # incorrect...
}
[download]

Before i start to dig in to it, i could use some common advices on fact of the matter. And is that above shown code the way to go?

Comment on Securing program executing with Md5-hash Select or Download Code

Replies are listed 'Best First'.
Re: Securing program executing with Md5-hash by astroboy (Chaplain) on Oct 16, 2004 at 10:58 UTC
I'm a little confused - I'm not quite sure that your code snippet matches your question, but if I understand you correctly, you want to protect your website with a password, but not use an htaccess file. It seems to me that the easiest way would be to use CGI::Session, and create a "logged-in" session value. This way, nothing is stored on the client other than a link from the cookie to the session variable. An example of how to do this is in the CGI::Session::Cookbook An aside - your code uses the crypt function. This does not create the md5 hash mentioned in the question title. To create an MD5 hash use something like Digest::MD5	[reply]
Re: Securing program executing with Md5-hash by hsinclai (Deacon) on Oct 16, 2004 at 13:43 UTC
What astroboy says. But if you ever use the crypt function, it just uses 2 characters for the salt (as opposed to eight - and would probably truncate anyway): `use strict; my $password = "whatever"; my @saltset = ('a' ..'z', 'A' .. 'Z', '0' .. '9', '.', '/'); my $nsalt = $saltset[$$ % 64] . $saltset[time % 64]; my $cryptedpass = crypt($password, $nsalt); print $cryptedpass,"\n"` [download]	[reply] [d/l]