tags:

views:

92

answers:

1
+5  Q: 

authentication on gui application written on perl

Its not specific perl question I am building a perl gui/wxperl application that connect to DB . I want my application to be a password protected i.e first the user should enter the user and password and then use the appication .

what is the best secure method to store the password could someone provide an idea what is the best method to how should i store the user and the password and how should i retrieve them for authentication ? if possible could someone provide some perl code how to do this ?

+9  A: 

You definitely don't want to save the passwords in plain text, you should probably take a look at using sha256. You can use the Perl mod Digest::SHA (see CPAN for docs).

use Digest::SHA qw(sha256);
my $digest = sha256($input_password);
my $saved_digest_password = get_saved_password_for_user($input_user);
if ($digest eq $saved_digest_password){
    # they have the correct password
}

That is just pseudo code, but it should help get you started. It's up to you to define "get_saved_password_for_user" however you want to, whether that is stored in a database somewhere or on the file system or somewhere else. Just make sure you don't ever store or log the $input_password anywhere. The only thing you should need to store is the $digest password.

Hope that helps!

Matthew J Morrison  2010-05-28 17:46:29
+1 even as psuedocode it gets right down to the basics of password matching.
Axeman  2010-05-28 18:58:51
daotoad  2010-05-28 19:30:33
This is a very good answer but as you know perl is opensource what if someone change the if ($digest eq $saved_digest_password) to if ($digest ne $saved_digest_password) then he will enter for every wrong password could someone have any idea how to solve this in elegant manner ?
oren  2010-05-28 21:47:12
@oren, preventing someone from tampering with your program is a very different question, and a very difficult one. If what you're trying to do is prevent one user from accessing another's data, then you'll probably have to encrypt that data using the user's password. Then tampering with the program won't help (unless the attacker changes it to secretly save the password somewhere).
cjm  2010-05-29 01:19:05
@oren - I think we need to talk about what "open source" means.
Matthew J Morrison  2010-06-25 20:57:40

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security