Don't store the passwords in the source code. Instead either pass them in on the command line, obtain them from the user at run time or obtain them from a secure (encrypted) configuration file only accessible to the credentials the script is running under.

You may get better answers if you better describe what you are doing.

If you hide the password using encryption, then you have to figure out where to hide the password (key) used to encrypt the password...

That means the best you can do is hide it from accidental glances. You can use MIME::Base64 for that. Beyond that, limit access to the config file with the password using proper file permissions and other (electronic and physical) access controls.

You shouldn't have a key for a password file-- the passwords should be hashed (after adding a salt to prevent dictionary attacks) and then you just store the hash. Then when you need to validate what the user entered, you just take the user input, add the salt, compute the hash, and compare. The password is never decrypted, and the hash function is one-way, so you can't back it out.

What hash function to use depends on how secure you need it to be, since some of the common ones have been "broken". If it's just against prying eyes, then almost any will work.

This isn't really a perl question so much as a basic security question.

edit: and the OP shouldn't be "sending" a password anywhere-- the user should submit one and the program compares it.

edit: doh. reading it again it sounds like you want to make a keychain store all your passwords for accessing some list of sites or something in a file and have it autofill a password fields somewhere. In that case you do need to use a 2-way function, and but then also require the user to enter a password that's used as the key to decrypt them, otherwise they're no more secure than being stored as plaintext.

the passwords should be hashed

You can't hash a password you need to transmit.

and the OP shouldn't be "sending" a password anywhere-- the user should submit one and the program compares it

The program is the user, so your statement is a contradiction.

...so that when I provide the username, the encrypted password is sent.

Sent where? Would the recipient understand an encrypted password?

    printf $file "%s:%s\n", $username, $password;
[download]

    use Favourite::Encryption::Module qw[encrypt];
    printf $file "%s:%s\n", $username, encrypt $password;
[download]

Thank You all for replying back. I really appreciate it.

So I have creates a function file.pl which contains the password. Now from the command line when I provide the USER_ID. The USER ID is hard coded in the file and cannot be provided at runtime.

Below is the sample program which calls the file containing the password. xyz.pl

#!/usr/bin/perl

my $USERID = shift;

use funcpassword;

$password=secret($USERID); # Use this password to login

Below is the function program funcpassword.pl

sub secret{

my $temp = shift;

my $password;

$password = "XYZ" if ($teap eq 'USERID');

}

I will run the above program as

prompt> xyz.pl USERID

Any comments or suggestions are most welcomed.

I have to agree with the others that that's an odd program to write. If you want to hardcode the encrypted passwords, you can generate the encrypted passwords with a separate program or the command line or something and then hardcode them. But if you ever want to change the keychain password you have to go through that all over again, and to add any you have to generate the new ones and encrypt them and hardcode them in

If you use some kind of simple database (e.g. SQLite) you can add username/password pairs that are encrypted/decrypted on the fly. You still run into the "how do I hide the key for my encrypted passwords" problem-- you can use a keychain password as the key, and then if you change the keychain password have a loop that goes through and decrypts and reencrypts them (using the old and new passwords)