I need help encrypting my passwords. I have a book that shows me an example but it doesn't tell me what everything in the example does. I code in perl/cgi and I want to make some advanced scripts with CMS that is protected with encrypted passwords in a database. Also how do you unencrypt them when someone logs in? Help is appreciated.
Quick answer: I believe you will find that 99% of the web apps out there don't encrypt their passwords, they hash them. The result is still 'secure' but not 'unencryptable'. Instead of storing an encrypted password them comparing a given password with the decrypted password, what you would do is store the hashed password then compare it with a hash of the given password on an attempt to login. Essentially you never compare passwords directly: you compare hashes of them.
I am not sure if I followed this correctly. Is this what you meen? %passwords = ("user1", "pass1", "user2", "pass2", "user3", "pass3"); if ($passwords{$FORM{'username'}} ne "") { print "Set-Cookie: loginstatus=loggedin \n"; } Code (markup): Is that at all what you were talking about? Because the reason I am interested in securing passwords is because I am making a script that I plan to distribute and I want it to be as easy as it can be to use and change usernames and passwords.
I haven't done Perl in a long time, so I can't give you hard code. I'm going to also assume that I've confused you by mentioning a hash. By hash, I didn't mean a non-integer indexed array but instead the result of a call to a hashing function, for example MD5. When the user sets their password, don't store the password in the database. Instead, store the result of a hashing function call on that password. For example, make: $hashed_password = md5( $password ); (remembering that my Perl is very rusty!) and then store $hashed_password in the database instead of $password. Now, when the user logs in, you have the user inputted password in 'cleartext' and the MD5 hashed password in the database. The MD5 is non-reversible so instead of trying to compare the cleartext password you instead call MD5 on that input and then compare the result of that to the already hashed password in the database. Hopefully that makes sense!
Thank you so much. Yes I have not yet used hashes other than %hash. This is very simple now that I know. I have seen them used in PHP before though. Now all I have to do is find the correct module for MD5(). Thanks again.
It isn't working out so good. When I include the password into the database it is one thing. But when I try to md5 the password submitted via login form it is a completely different hash. How do I make them the same?
The only reason they wouldn't be the same is either a different 'salt' (which you should be able to define) or possibly either one of the strings is different to the other... make sure you don't have any newlines or spaces or anything (and make sure they're the same case). But yeah: assuming you're using the same salt (which is fair to assume) then the whole premise of hashing is that two identical strings will hash identically. That's all I can tell you I'm afraid!