ninja_byte has asked for the wisdom of the Perl Monks concerning the following question:

My quest: to write a drop-in perl module/function that will evaluate a password, and return true if acceptable, false if not.

Seems simple right?
Seems like a million people have already thought this up, surely some of them in perl...

I'm not afraid to re-invent the wheel, but I'm pretty busy as is. Any suggestions on modules to use?

I will certainly be altering it for performance, etc. I primarily run FreeBSD, with scattered windows and linux machines as well. Thanks in advance!

Replies are listed 'Best First'.
Re: password checking?
by fairy (Novice) on Aug 13, 2005 at 11:44 UTC
[reply]
Re: password checking?
by dorward (Curate) on Aug 13, 2005 at 07:37 UTC

    The actual checking is probably quite trivial, but very dependent on how the credentials are stored. For example, if you have a mysql database table then a query along the lines of:

    SELECT something from users where username=? and password=PASSWORD(?);

    [download]

    Followed by a count of the rows returned would do the job.

    Other ways of storing the credentials would have different ways of accessing them, so this problem is very dependent on the specifics.

[reply]
[d/l]
      It's common to store passwords in a database like this. I have two things to add that I learned the-hard-way.

      User applications should not use the PASSWORD() function. MySQL AB has documented that this function may change between versions. Their documentation says you should use MD5() or SHA1(). (The 4.0 to 4.1 upgrade was a pain at the shop I was working at.)

      Another way is to hash the value in perl before passing it to the database. You could use Digest::SHA256 or Digest::MD5 for example.

      For some reason (that I don't know) string comparisons are not case sensitve in MySQL unless you use the BINARY keyword in the query or the columns were created with the BINARY attribute.
[reply]
Re: password checking?
by spiritway (Vicar) on Aug 13, 2005 at 08:09 UTC

    When you say "acceptable", do you mean that the password is adequately secure - hard to guess, not a dictionary word, containing numbers and alpha characters in upper and lower case, etc. - or do you mean that the password is the correct one to access something?

[reply]
Re: password checking?
by mvaline (Friar) on Aug 13, 2005 at 15:42 UTC

    This can be as simple or complex or insecure or secure as you want; just remember that simple does not always equal insecure and complex does not always equal secure.

    Storing passwords in plaintext in a database is probably not a good idea. You will probably want to encrypt the passwords at least. You didn't specify if this is a standalone perl script or a web script... you security concerns are likely to be different depending on this. One of the easiest options is always to plug into an existing authentication service from the shadow password file to .htaccess files if you're using apache. I do most of my work in a Microsoft-centric corporate environment, so I usually try to plug into ActiveDirectory.

    If it's a web script, see Password Authentication Module

    You will probably be able to glean some techniques from these:
    Passwords, hashes, and salt
    Best practices for database passwords
    A question of security

[reply]

Back to Seekers of Perl Wisdom