Integrating Password encryption into DBIx::UserDB
hesco
created: 2006-02-01 05:24:37
perlmonks
prlmnks
I've been working to wrap my head around DBIx::UserDB, who's POD includes the following statement: 

Passwords are uuencoded for storage (for minimal privacy not for security), so take this into account when setting the password field's length. If you want to store password in plaintext, use the scramble_password method.
It seems that WWW::Authenticate will handle creating sessions to maintain state for an authenticated user; that DBIx::UserDB will handle the management of user, group and privilege tables as well as consultation with an Access Control List to authorize access to applications and resources. I've been hacking on the former to integrate with the latter.

It seems now that the one missing piece for my access control / security regime is a method for encrypting passwords used in my authentication scheme. I'll use an ssl connection to prevent sniffing, man-in-the-middle threats. Now my concern is with folks who might have shell access to the database server for applications deployed to shared hosting environments. If I could only figure out how to use these tools together with a password encryption scheme, and a method for comparing encrypted passwords at authentication, I'd be in business.

Can anyone advise me on this? All help is appreciated.

-- Hugh

Re: Integrating Password encryption into DBIx::UserDB
tirwhan
created: 2006-02-01 05:32:19
perlmonks
prlmnks

Take a look at Digest::SHA, this will allow you to create a secure hash of the password given to you by the user. Store that hash (no need to further "scramble" it) and whenever the user logs on again recreate the hash from the password supplied and pass that to user_login for authentication.

For good future security you should use sha256 upwards, sha1 is beginning to show it's age.


There are ten types of people: those that understand binary and those that don't.
Re^2: Integrating Password encryption into DBIx::UserDB
hesco
created: 2006-02-01 07:11:48
perlmonks
prlmnks
OK. The POD looks interesting. I'm assuming I only need to use: 
use Digest::SHA;
my $pw = Digest::SHA::sha256($password);
my $pwc = Digest::SHA::sha256($passwordconfirm);
Then use the digests as I would have used a plain text password. My only question here is, how large do my password fields need to be to accomodate a sha-256 hashed digest? What data types will allow all possible characters in the digest?

-- Hugh

Re^3: Integrating Password encryption into DBIx::UserDB
tirwhan
created: 2006-02-01 07:33:45
perlmonks
prlmnks

Yep, that's it. You can use the sha256_hex or sha256_base64 methods to encode the hash in a format that's easily storeable in the database.


There are ten types of people: those that understand binary and those that don't.
Re^4: Integrating Password encryption into DBIx::UserDB
hesco
created: 2006-02-01 08:10:52
perlmonks
prlmnks
For the sake of my alter table query, how many characters do these digests turn out to be? Will a varchar(255) handle the result? Or do I need a text field? -- Hugh

perlmonks.org content © perlmonks.org and hesco, tirwhan

prlmnks.org © 2006 edmund von der burg (eccles & toad)

v 0.03