ansaurus

Question

How can I encrypt and decrypt passwords in a Perl CGI program?

Answer 1

A:

MD5 converts any string into a digest. To check if the user's password is valid you don't need the password from the database, but only compare the digest from their entered one to the digest you stored.

Ljubomir Đokić 2010-09-09 11:12:19

MD5 is a hash, albeit an obsolete one, so it does not "encrypt" anything.

Steven Sudit 2010-09-09 11:13:42

By the way MD5 encryption is not reversible, that is you cann't restore original password.

Ljubomir Đokić 2010-09-09 11:14:46

It's not encryption, it's a hashing algorithm. Please get the terminology right, these are different concepts of cryptography.

daxim 2010-09-09 11:32:33

Hey Thanks alot for all these Important Informations..But what do i do now? should i go browse for md5 encryption code or opt for anyother available..?

sonya 2010-09-09 11:36:51

@Ljubomir: You can if you have a rainbow table for an unsalted hash, which is just one more reason why I recommend that jene reuse an existing authentication framework before reinventing the wheel with an octagon.

Steven Sudit 2010-09-09 11:37:13

@jene: MD5 is not encryption. Go look for an authentication framework that is appropriate for your platform.

Steven Sudit 2010-09-09 11:37:37

@jene: Please mark this answer as accepted.

Steven Sudit 2010-09-09 11:42:41

This answer is terribly bad. It recommends an outdated weak hashing algorithm, and does not mention salting at all.

daxim 2010-09-09 12:16:34

I wouldn't say this answer "recommends" the use of MD5, it just fails to discourage it. The question's final paragraph asks what MD5 is and how it's used for password handling and Ljubomir has answered that; he did not introduce MD5 to the discussion.

Dave Sherohman 2010-09-09 17:02:23

Answer 2

+8 A:

Call make_crypto_hash when you initially set up the user, the parameter is his given passphrase. Store the function return value in the database.

sub make_crypto_hash {
    my ($passphrase) = @_;
    return Authen::Passphrase::BlowfishCrypt->new(
        cost        => 8,
        salt_random => 1,
        passphrase  => $passphrase,
    )->as_rfc2307;
}

Call match_passphrase_against_crypto_hash when someone logs in and you want to see whether the passphrase belongs to the user. The parameters are the crypto hash you retrieve from the database for the given user name, and the passphrase just given by the user. The return value is a boolean value.

sub test_passphrase_against_crypto_hash {
    my ($crypto_hash, $passphrase) = @_;
    return Authen::Passphrase::BlowfishCrypt
        ->from_rfc2307($crypto_hash)->match($passphrase);
}

daxim 2010-09-09 12:14:37

Thanks a Lot for the code i gona use this in my Program and get back to you if i get struck anywhere...Thank You once again Mr.Daxim..

sonya 2010-09-09 12:26:10

@jene: if this answer works for you, it is proper etiquette to mark it as accepted (click the outlined checkmark next to this question).

Ether 2010-09-14 16:06:28

ansaurus

tags:

views:

answers:

How can I encrypt and decrypt passwords in a Perl CGI program?

related questions