in reply to Integrating Password encryption into DBIx::UserDB

Take a look at Digest::SHA, this will allow you to create a secure hash of the password given to you by the user. Store that hash (no need to further "scramble" it) and whenever the user logs on again recreate the hash from the password supplied and pass that to user_login for authentication.

For good future security you should use sha256 upwards, sha1 is beginning to show it's age.


There are ten types of people: those that understand binary and those that don't.

Replies are listed 'Best First'.
Re^2: Integrating Password encryption into DBIx::UserDB
by hesco (Deacon) on Feb 01, 2006 at 12:11 UTC
    OK. The POD looks interesting. I'm assuming I only need to use: 
    use Digest::SHA;
my $pw = Digest::SHA::sha256($password);
my $pwc = Digest::SHA::sha256($passwordconfirm);

    [download]
    Then use the digests as I would have used a plain text password. My only question here is, how large do my password fields need to be to accomodate a sha-256 hashed digest? What data types will allow all possible characters in the digest?

    -- Hugh

[reply]
[d/l]

      Yep, that's it. You can use the sha256_hex or sha256_base64 methods to encode the hash in a format that's easily storeable in the database.


      There are ten types of people: those that understand binary and those that don't.
[reply]
[d/l]
[select]
        For the sake of my alter table query, how many characters do these digests turn out to be? Will a varchar(255) handle the result? Or do I need a text field? -- Hugh
[reply]

In Section Seekers of Perl Wisdom