»
Tech Talk
»
Beyond the Basics
»
Passwords
| Beyond the Basics |
|
Passwords |
|
|
Christopher
Moderator
Member Rara Avis
since 1999-08-02
Posts 8296Purgatorial Incarceration 
|
Ok - I've looked both in my book and on the net and all I find in either of these sources are password scripts using cgi.pm, which I still don't want to do. Using the questionable logic of my brain, I've thought that it should be feasible to encrypt the password, create a "password" file in a secure directory containing all the password information for the appropriate people (by ID# seems most logical as you've said), then check against that if necessary. If and when you get the opportunity, could you poke holes in this and or suggest a better way to do it? ***** $password = $input{'password'}; $passInfo = "password"; #will change later $passCrypted = $password ^ $passInfo; #Pass to cookies, db, & authorization from here ***** #Retrieve for display (to change it) $passwordSafe = $passCrypted ^ $passInfo; ***** |
||
| © Copyright 2002 C.G. Ward - All Rights Reserved | |||
|
Ron
Administrator
Member Rara Avis
since 1999-05-19
Posts 8669Michigan, US |
Looks fine to me, Christopher. But then, I sort of feel that encrypted passwords are little more than a warm, snuggly blanket for the user. They feel good, but that's about it. |
||
|
Christopher
Moderator
Member Rara Avis
since 1999-08-02
Posts 8296Purgatorial Incarceration |
ok - been wondering what you've meant by this all day. my first thought was that it's because something like this is relatively easy to decipher for someone with the know-how. still, though, i think it would still be valid - the average person isn't able to break through this and it provides a method by which someone can have a small measure of surety that another won't change their information behind their back. That was my thought - but if you wouldn't mind expounding, i'd appreciate it. I value your opinions and expertise.  |
||
|
Ron
Administrator
Member Rara Avis
since 1999-05-19
Posts 8669Michigan, US |
LOL If someone was to steal your password to the forums, Chris, where do you suppose they would get it? Off my web server? Or off the post-it note stuck to your monitor? I long ago decided the only way to make a password secure was to never give it to the user. There's a few kinks with that plan, though, that I'm still working on. Storing encrypted passwords on the system, as opposed to plain-text passwords, has never made a lot of sense to me. The only reasonable way anyone can get to either is by gaining access to my server's hard disk. If they get that far, they don't NEED a password to change your personal data -- because it's sitting in the same file with your highly encrypted password.  There's absolutely nothing wrong with a warm, snuggly blanket as long as you remember that it IS only a blanket. You still need to lock the doors at night. |
||
|
Christopher
Moderator
Member Rara Avis
since 1999-08-02
Posts 8296Purgatorial Incarceration |
rofl - well, when you get that minor kink out of the way Ron, please let me know! i had never thought about that. you have a most valid point though, lol. see why i ask you questions like this? see all the disk space i can save??? |
||
Cpat Hair
since 2001-06-05
Posts 11793 |
are the passwords protecting anything sensitive in nature such as financial information? If so...or if they are protecting information you don't want anyone to change, You might think about encrypting the information itself. It is not a fail safe method and the argument can be made that if the database containing the info and the web server are on the same machine ( usually considered bad security design in my world) that encrypting the data itself is also useless...but if the encryption/decryption tools reside on another machine there is at least a layer of security in that both machine now must be hacked to easily get the info. |
||
|
Christopher
Moderator
Member Rara Avis
since 1999-08-02
Posts 8296Purgatorial Incarceration |
Interesting solution. I wouldn't have thought about that. No, my "concern" is minor. I just want to make it less likely for someone to be able to a) affect another's information, and b) access the "admin" section I'm developing, which will have the 'power' to affect all submissions, etc. I don't have the resouorces, nor, really, the justification, to go this route, but I do appreciate your input! Chris |
||
|
Cpat Hair
since 2001-06-05
Posts 11793 |
based on what you have said, there still may be some ways to secure the information at least on the surface level. What are you running for a web server and what are you using for a database? I'm afraid I am limited to Microsofts world to a large degree so specifics may be useless to you if you are running apache or linux etc. but will share what I do know if it is helpful. |
||
|
Christopher
Moderator
Member Rara Avis
since 1999-08-02
Posts 8296Purgatorial Incarceration |
ah, it's ok Ron. The information isn't "vital" information. FWIW - it's a Unix server and I'm programming in Perl. I could run encrypted passwords, like said above, but see no need (after the "duh" following Ron's point) to add in the extraneous code. |
||
|
Christopher
Moderator
Member Rara Avis
since 1999-08-02
Posts 8296Purgatorial Incarceration |
I will, however, be putting the 'password' file in a secure directory so no one can happen upon it or find it outside of being able to access the hard drive. I imagine the odds are pretty slim on that happening, but it doesn't hurt anything to secure a directory. |
||
|
|
⇧ top of page ⇧ |
|
| All times are ET (US). All dates are in Year-Month-Day format. | ||
