Greetings, fellow monks

I'm creating an administrative CGI script for my neighborhood homeowners association's website, which will require login for board members. I've got it working, using MD5 crypt to encrypt the passwords stored in the database. (See update below) However, I just read that MD5 probably shouldn't be used for new development, and that SHA256 is a better choice. Looking on CPAN, it looks like my choices are between Digest::SHA::PurePerl by Mark Shelor, Digest::SHA256 by Rafael R. Sevilla, or Digest::SHA2 by Julius C. Duque.

My question is, which one of them to use (or maybe something else)? Does anyone with security experience have any recommendations?

I haven't been able to find any reviews on Perl Monks or the web at large.

Update: Sigh... Why do I even try to post just before going to bed?!?

I use crypt on the passwords before storing them in the database. During testing I noticed that only the first 8 characters of the password seemed to matter. I found on the web that that's the way crypt works. So I considered using MD5, which I'm currently using to create session IDs. While looking up info on MD5 to see if it was appropriate for that task, I found comments by Schneier (similar to ikegami's link below) that SHA256 would be a better choice.

So back to my original question, speed issues aside, is one of the CPAN modules better than another?

Thanks to syphilis for indirectly pointing out the embarrasing error in my original post!

Further Update: While doing some research this morning, I came upon this article : A Future-Adaptable Password Scheme. I haven't had a chance to read it all, but basically I think it's saying you don't want to use a fast hashing routine (which I guess MD5 is, for instance), because that makes brute force attacks quicker. You want to use a strong hash, but tune it so it makes brute forcing unacceptably slow. Food for thought, I guess

TheEnigma

In reply to Would Like Recommendation for an SHA256 module by TheEnigma

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.