hesco has asked for the wisdom of the Perl Monks concerning the following question:

I've been working to wrap my head around DBIx::UserDB, who's POD includes the following statement: 

Passwords are uuencoded for storage (for minimal privacy not for secur
+ity), so take this into account when setting the password field's len
+gth. If you want to store password in plaintext, use the scramble_pas
+sword method.

[download]
It seems that WWW::Authenticate will handle creating sessions to maintain state for an authenticated user; that DBIx::UserDB will handle the management of user, group and privilege tables as well as consultation with an Access Control List to authorize access to applications and resources. I've been hacking on the former to integrate with the latter.

It seems now that the one missing piece for my access control / security regime is a method for encrypting passwords used in my authentication scheme. I'll use an ssl connection to prevent sniffing, man-in-the-middle threats. Now my concern is with folks who might have shell access to the database server for applications deployed to shared hosting environments. If I could only figure out how to use these tools together with a password encryption scheme, and a method for comparing encrypted passwords at authentication, I'd be in business.

Can anyone advise me on this? All help is appreciated.

-- Hugh

Replies are listed 'Best First'.
Re: Integrating Password encryption into DBIx::UserDB
by tirwhan (Abbot) on Feb 01, 2006 at 10:32 UTC

    Take a look at Digest::SHA, this will allow you to create a secure hash of the password given to you by the user. Store that hash (no need to further "scramble" it) and whenever the user logs on again recreate the hash from the password supplied and pass that to user_login for authentication.

    For good future security you should use sha256 upwards, sha1 is beginning to show it's age.


    There are ten types of people: those that understand binary and those that don't.
[reply]
[d/l]
      OK. The POD looks interesting. I'm assuming I only need to use: 
      use Digest::SHA;
my $pw = Digest::SHA::sha256($password);
my $pwc = Digest::SHA::sha256($passwordconfirm);

      [download]
      Then use the digests as I would have used a plain text password. My only question here is, how large do my password fields need to be to accomodate a sha-256 hashed digest? What data types will allow all possible characters in the digest?

      -- Hugh

[reply]
[d/l]

        Yep, that's it. You can use the sha256_hex or sha256_base64 methods to encode the hash in a format that's easily storeable in the database.


        There are ten types of people: those that understand binary and those that don't.
[reply]
[d/l]
[select]

Back to Seekers of Perl Wisdom