On Oct 27, 2015 1:45 AM, "Paul.G" <medur...@yahoo.com.au> wrote: >
> Just wondering, what are peoples thoughts on using password authentication in perl. What tools do people use to secure the password or do you just restrict access to the script file so the password cannot be viewed etc. > Don't store plain text passwords *ever* (I can't say that stronger - even on a sandbox, people will use passwords similar to those on other systems which is really unfortunate for them). As far as how to store them, this depends on what you're doing. I'd generally recommend scrypt since every modern language supports it but I've also been successful in using PBKDF2 in perl. If you trust your db to do hashing for you, make doubly sure your connection is encrypted (even though it's not on the net - trust me, do this). IIRC I've also seen modules that allow you to utilize your system's international auth (probably setup via PAM) and probably using ssha - if you use proprietary Unices, portable can be an issue (IIRC Solaris's crypto lib is not standard - probably others too). Almost as important as the backend system is the policy - look at what Windows AD (and Sun - IDR the product name) do to manage policies and prevent users from using weak passwords and emulate them. I don't care if you're a small web app, you're eventually going to get owned and making user passwords harder to crack after that happens is better for you. IIRC there's a John page that shows how well different chips do with different hashes - if you don't like my prior recommendations, ref that (less is better for you :) ). Don't store plaintext, don't use md5, don't use RC2, don't send plaintext passwords in the clear, and don't mess with /dev/random (unless you know what you're doing - you're asking so I assume you don't). Also, if you're designing a new system and can help it, never send passwords at all - use a hardware token with a PKI system (nope, never done this in perl but since I run 4 full time password cracking boxes I know how bad passwords get and all the things people do to make password policies easier for them to work with and it's what I'd look into). Well more thoughts than tools :) I'll let all the web devs comment on Catalyst auth models and using htaccess (not the smartest) if that's where you're going with this. But I've been through most of the hashing modules and they're pretty good and not hard to use.
