Re: Storing encrypted passwords and validating

The Digest family is probably what you want; Digest::SHA1. The algorithms are supported in all the DBs too so it's easy to validate/store.

perl -MDigest::SHA1 -le 'print Digest::SHA1::sha1_hex(shift)' s3cr3t
25ab86bed149ca6ca9c1c0d5db7c9a91388ddeab

perl -MDigest::SHA1 -le 'print Digest::SHA1::sha1_hex(shift)' s3cr3ts
0b8afdce3abe965be751e15143604eb17ee1290e
[download]

Be aware that there are efforts to generate look-up tables for these so you still need to enforce prohibitions against the usual problematic/weak passwords (dictionary words, sequences, etc). The sha for "password" for example, 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8, has 681 hits on Google. And 682 come reindex time. :)

Comment on Re: Storing encrypted passwords and validating Download Code

Replies are listed 'Best First'.
Re^2: Storing encrypted passwords and validating by ikegami (Patriarch) on Mar 28, 2009 at 19:29 UTC
That's why you salt it. `sub get_digest { my ($passwd) = @_; my $salt = gen_8_rand_bytes()); my $digest = Digest::SHA1::sha1_hex("$salt$passwd"); return unpack('H16', $salt) . $digest; } sub cmp_digest { my ($passwd, $digest) = @_; my $salt = pack('H16', substr($digest, 0, 16, '')); return $digest eq Digest::SHA1::sha1_hex("$salt$passwd"); }` [download] There's probably an existing implementation on CPAN that follows established practices.	[reply] [d/l]

Replies are listed 'Best First'.

Re^2: Storing encrypted passwords and validating
by ikegami (Patriarch) on Mar 28, 2009 at 19:29 UTC

sub get_digest {
   my ($passwd) = @_;
   my $salt   = gen_8_rand_bytes());
   my $digest = Digest::SHA1::sha1_hex("$salt$passwd");
   return unpack('H16', $salt) . $digest;
}

sub cmp_digest {
   my ($passwd, $digest) = @_;
   my $salt = pack('H16', substr($digest, 0, 16, ''));
   return $digest eq Digest::SHA1::sha1_hex("$salt$passwd");
}
[download]

There's probably an existing implementation on CPAN that follows established practices.

[reply]
[d/l]