How to Join Member's Area Private Library Search Today's Topics p Login
Main Forums Discussion Tech Talk Mature Content Archives
   Nav Win
 Tech Talk
 Beyond the Basics
 Passwords
 1 2 3 4 5 6 7 8 9
Follow us on Facebook

 Moderated by: Ron   (Admins )

 
User Options
Format for Better Printing EMail to a Friend Not Available
Admin Print Send ECard
Passions in Poetry

Passwords

 Post A Reply Post New Topic   Go to the Next Oldest/Previous Topic Return to Topic Page Go to the Next Newest Topic 
Christopher
Moderator
Member Rara Avis
since 08-02-99
Posts 9130
Purgatorial Incarceration


0 posted 12-09-2002 05:49 AM       View Profile for Christopher   Email Christopher   Edit/Delete Message      Find Poems  View IP for Christopher


Ok - I've looked both in my book and on the net and all I find in either of these sources are password scripts using cgi.pm, which I still don't want to do.

Using the questionable logic of my brain, I've thought that it should be feasible to encrypt the password, create a "password" file in a secure directory containing all the password information for the appropriate people (by ID# seems most logical as you've said), then check against that if necessary.

If and when you get the opportunity, could you poke holes in this and or suggest a better way to do it?

*****

$password = $input{'password'};
$passInfo = "password"; #will change later

$passCrypted = $password ^ $passInfo;

#Pass to cookies, db, & authorization from here

*****

#Retrieve for display (to change it)

$passwordSafe = $passCrypted ^ $passInfo;

*****
Ron
Administrator
Member Rara Avis
since 05-19-99
Posts 9708
Michigan, US


1 posted 12-09-2002 06:48 AM       View Profile for Ron   Email Ron   Edit/Delete Message      Find Poems   Click to visit Ron's Home Page   View IP for Ron

Looks fine to me, Christopher. But then, I sort of feel that encrypted passwords are little more than a warm, snuggly blanket for the user. They feel good, but that's about it.
Christopher
Moderator
Member Rara Avis
since 08-02-99
Posts 9130
Purgatorial Incarceration


2 posted 12-09-2002 08:07 PM       View Profile for Christopher   Email Christopher   Edit/Delete Message      Find Poems  View IP for Christopher

ok - been wondering what you've meant by this all day.

my first thought was that it's because something like this is relatively easy to decipher for someone with the know-how. still, though, i think it would still be valid - the average person isn't able to break through this and it provides a method by which someone can have a small measure of surety that another won't change their information behind their back.

That was my thought - but if you wouldn't mind expounding, i'd appreciate it. I value your opinions and expertise.
Ron
Administrator
Member Rara Avis
since 05-19-99
Posts 9708
Michigan, US


3 posted 12-09-2002 09:01 PM       View Profile for Ron   Email Ron   Edit/Delete Message      Find Poems   Click to visit Ron's Home Page   View IP for Ron

LOL

If someone was to steal your password to the forums, Chris, where do you suppose they would get it? Off my web server? Or off the post-it note stuck to your monitor? I long ago decided the only way to make a password secure was to never give it to the user. There's a few kinks with that plan, though, that I'm still working on.

Storing encrypted passwords on the system, as opposed to plain-text passwords, has never made a lot of sense to me. The only reasonable way anyone can get to either is by gaining access to my server's hard disk. If they get that far, they don't NEED a password to change your personal data -- because it's sitting in the same file with your highly encrypted password.

There's absolutely nothing wrong with a warm, snuggly blanket as long as you remember that it IS only a blanket. You still need to lock the doors at night.
Christopher
Moderator
Member Rara Avis
since 08-02-99
Posts 9130
Purgatorial Incarceration


4 posted 12-09-2002 09:30 PM       View Profile for Christopher   Email Christopher   Edit/Delete Message      Find Poems  View IP for Christopher

rofl - well, when you get that minor kink out of the way Ron, please let me know!

i had never thought about that. you have a most valid point though, lol. see why i ask you questions like this? see all the disk space i can save???

Cpat Hair
Deputy Moderator 1 Tour
Member Patricius
since 06-05-2001
Posts 12075


5 posted 12-10-2002 08:07 PM       View Profile for Cpat Hair   Email Cpat Hair   Edit/Delete Message      Find Poems  View IP for Cpat Hair

are the passwords protecting anything sensitive in nature such as financial information? If so...or if they are protecting information you don't want anyone to change, You might think about encrypting the information itself. It is not a fail safe method and the argument can be made that if the database containing the info and the web server are on the same machine ( usually considered bad security design in my world) that encrypting the data itself is also useless...but if the encryption/decryption tools reside on another machine there is at least a layer of security in that both machine now must be hacked to easily get the info.
Christopher
Moderator
Member Rara Avis
since 08-02-99
Posts 9130
Purgatorial Incarceration


6 posted 12-10-2002 09:33 PM       View Profile for Christopher   Email Christopher   Edit/Delete Message      Find Poems  View IP for Christopher

Interesting solution. I wouldn't have thought about that.

No, my "concern" is minor. I just want to make it less likely for someone to be able to a) affect another's information, and b) access the "admin" section I'm developing, which will have the 'power' to affect all submissions, etc. I don't have the resouorces, nor, really, the justification, to go this route, but I do appreciate your input!

Chris
Cpat Hair
Deputy Moderator 1 Tour
Member Patricius
since 06-05-2001
Posts 12075


7 posted 12-10-2002 09:51 PM       View Profile for Cpat Hair   Email Cpat Hair   Edit/Delete Message      Find Poems  View IP for Cpat Hair

based on what you have said, there still may be some ways to secure the information at least on the surface level. What are you running for a web server and what are you using for a database? I'm afraid I am limited to Microsofts world to a large degree so specifics may be useless to you if you are running apache or linux etc. but will share what I do know if it is helpful.

Christopher
Moderator
Member Rara Avis
since 08-02-99
Posts 9130
Purgatorial Incarceration


8 posted 12-12-2002 05:18 AM       View Profile for Christopher   Email Christopher   Edit/Delete Message      Find Poems  View IP for Christopher

ah, it's ok Ron. The information isn't "vital" information.

FWIW - it's a Unix server and I'm programming in Perl. I could run encrypted passwords, like said above, but see no need (after the "duh" following Ron's point) to add in the extraneous code.
Christopher
Moderator
Member Rara Avis
since 08-02-99
Posts 9130
Purgatorial Incarceration


9 posted 12-12-2002 05:20 AM       View Profile for Christopher   Email Christopher   Edit/Delete Message      Find Poems  View IP for Christopher

I will, however, be putting the 'password' file in a secure directory so no one can happen upon it or find it outside of being able to access the hard drive. I imagine the odds are pretty slim on that happening, but it doesn't hurt anything to secure a directory.
 
 Post A Reply Post New Topic   Go to the Next Oldest/Previous Topic Return to Topic Page Go to the Next Newest Topic 
All times are ET (US) Top
  User Options
>> Tech Talk >> Beyond the Basics >> Passwords Format for Better Printing EMail to a Friend Not Available
Print Send ECard

 

pipTalk Home Page | Main Poetry Forums

How to Join | Member's Area / Help | Private Library | Search | Contact Us | Today's Topics | Login
Discussion | Tech Talk | Archives | Sanctuary



© Passions in Poetry and netpoets.com 1998-2013
All Poetry and Prose is copyrighted by the individual authors