Re^3: Passing variable from one cgi to another

I'm a bit puzzled - how do passwords help you if your system doesn't store them anywhere?

I mean when the user enters the password somewhere you need to verify if his password is correct, so you must have the password stored somewhere.

If you're worried that your database admin might steal the passwords you could try to encrypt the temporary passwords like this:

For each generated password you also create a unique key. Then you encrypt the password with key and store it in the DB, and you send the key to the client (print"<img src='https://www.mysite.com/secure/cgi-bin/secimage.cgi?key=$key'>";).

That way the secret is split into two halves, one is only known in the database and one that is only send the browser (and not stored), so no evil database admin can recover the passwords.

Comment on Re^3: Passing variable from one cgi to another Download Code

Replies are listed 'Best First'.
Re^4: Passing variable from one cgi to another by chromatic (Archbishop) on Jan 10, 2008 at 20:39 UTC
I mean when the user enters the password somewhere you need to verify if his password is correct, so you must have the password stored somewhere. You don't, actually. You can hash the initial password (with a salt, preferably) and store that. Then to verify the password, take what the user has provided and hash it again (with the same salt) and compare.	[reply]