in reply to P@$$w0rd$ in perl?

hey thanks a bunch, all of you, that really cleared up the usage of crypt, and does everything i want exept the functionality of being able to email the user their password if they forget. (why like this here website)

i'd rather have someone loose their password then having someone else crack their acount ;) does anyone have a scheme to encrypt the password (securely enough) and if forgotten can be accessed by the right people?

that would be super,

-justin simoni
!skazat!

Replies are listed 'Best First'.
RE: Thanks!
by chromatic (Archbishop) on Apr 25, 2000 at 02:11 UTC
    Actually, the Everything Engine (last time I checked) doesn't encrypt passwords at all.

    Assuming you keep your database properly secured, that shouldn't be a problem. Otherwise, you'll need a two-way encryption scheme, maybe a rotation cipher? 

    my $password = "foobar+";
my $salt = 11;
my $newpass = "";

sub encrypt {
    my $password = shift;
    my @letters = split '', $password;
    foreach my $letter (@letters) {
        my $value = ord($letter) + $salt;
        while ($value > 255) {
            $value -= 255;
        }
        $newpass .= chr($value);
    }
}

sub decrypt {
    my $password = shift;
    my @letters = split '', $password;
    foreach my $letter (@letters) {
        my $value = ord($letter) - $salt;
                while ($value < 0) {
                        $value += 255; 
            }
        $newpass .= chr($value);
    }
}

    [download]
    Not very secure, but better than plain text, if you keep your salt hidden. Keep your database more secure.
[reply]
[d/l]
RE: Thanks!
by comatose (Monk) on Apr 25, 2000 at 03:43 UTC

    What I've always done is put in functionality for the user to receive a new random password via email. If they forget it, they just put in their email address and their login and password are sent. Sites implement this in any number of ways.

    Enter email address only - Just sends out a new password to the email address.

    Enter email address and answer question - When you create an account, you include a question and answer portion. For example, "What is your favorite color?" "Red." In order for the new password to be set, the user has to successfully answer the question. Most allow the user to pick their own question.

[reply]
      that seems to be the best idea, just email a new password to the email address, thanks alot!
[reply]
        One problem here is that if I don't like someone I can reset their password to a new one, by entering their email address and saying 'mail new password'. Sure, they'll get the new one as an email but its a bit of an inconvenience. Probably not a major issue, though.
[reply]
RE: Thanks!
by ZZamboni (Curate) on Apr 25, 2000 at 17:47 UTC
    Being able to recover a user's password would mean that there would need to be a "secret key" for the "right people" to be able to decrypt it. This opens yet another possible security hole. The preferred way of doing things is simply giving the "right people" the power to change any user's password. That way, if a user loses his/her password, they can have it reset to something known.

    Most password-protected web pages out there evidently store the passwords in clear text, since they are able to mail it to you if you lose it. Although convenient, this is not necessarily secure. I think the best thing would be what comatose suggested, have the system generate a new random password and send it to the user. That way you don't have to store clear-text passwords.

[reply]
      Heh. Unless you do on-the-fly brute forcing of the crypt'd password when a user requests to be email'd it. That would just about be feasible for crypt'd passwords.

      (Mostly a joke).

[reply]

In Section Seekers of Perl Wisdom