Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid
 
PerlMonks  

Mention password in the script -encrypted form

by perl177 (Initiate)
on Feb 19, 2009 at 14:12 UTC ( #745051=perlquestion: print w/ replies, xml ) Need Help??
perl177 has asked for the wisdom of the Perl Monks concerning the following question:

HOw do I mention password or other key value in encrypted form .Like if the value of variable password is abc123 , is there any possibility that it can be declared as HYgy675hd ( some encrypted form in the script text )

Comment on Mention password in the script -encrypted form
Re: Mention password in the script -encrypted form
by Random_Walk (Parson) on Feb 19, 2009 at 14:25 UTC

    Do you need to decrypt this password again or check that a user knows this password ?

    If you need to decrypt it again in the script it will only be obfuscated and anyone with enough Perl knowledge will be able to decrypt it too.

    if you just need to check a user knows it you can store a hash of the password (MD5 hash should do the trick) and then compare a hash of the user attempt. To make this a little more secure you should mix the password with a salt before hashing it. This stops making a dictionary of many password hashes and then seeing if yours is already know. The salt can be stored clear along with the password hash.

    Update, code added
    #!/usr/bin/perl use strict; use warnings; use Digest::MD5 qw (md5_base64); print "enter a password to store: "; my $password = <STDIN>; my $salt = time; my $digest = md5_base64($password.$salt); print "salt: $salt hash: $digest\n"; my $enter = 0; until ($enter) { print "Speak friend and enter: "; my $try = <STDIN>; my $tryhash = md5_base64($try.$salt); $enter++ if $tryhash eq $digest; } print "Welcome friend\n"; __END__ # output ... enter a password to store: friend salt: 1235062413 hash: 2eJWH+Yjy1Fw8J9wW6vmAg Speak friend and enter: enemy Speak friend and enter: friend Welcome friend

    Cheers,
    R.

    Pereant, qui ante nos nostra dixerunt!
Re: Mention password in the script -encrypted form
by holli (Monsignor) on Feb 19, 2009 at 14:26 UTC
    $password = "abc123"; $encrypt = join('', map { ord($_) } split '', $password);


    holli

    When you're up to your ass in alligators, it's difficult to remember that your original purpose was to drain the swamp.
      If you can suggest me a way in which I will not reveal the password in clear text (anywhere in the script) that will be great We are mentioning in clear text $passwd ="abc123" .I think there must be a way where I can declare $passwd="GHYFtg56" where decrypt(GHYFtg56) = abc123 I hope I made my question clear

        If a function decrypt(GHYFtg56) were possible crypt() would be useless for storing passwords as anyone else (including the attacker) could do the decyphering too. You would have won nothing by storing it as "GHYFtg56".

        cryptographic hash function must have the property that it is easy to create the hash (i.e use crypt()) but impossible to do the inverse (i.e. decrypt()) in acceptable time.

        In other words: Your script needs to know some password to do something. Whatever the script knows, everyone with access to the script can find out too. The only exception is if the script stores the information somewhere else. See my other post here for a possible method

Re: Mention password in the script -encrypted form
by jethro (Monsignor) on Feb 19, 2009 at 14:26 UTC

    Do you just want to encrypt a password with the standard unix hash method in your script? Here is a small script that encrypts a password:

    use strict; my $inp; srand(time() ^ $$); print "Please enter password:\n"; system "stty -echo"; chop($inp= <STDIN>); print "\n"; system "stty echo"; my $i= chr(rand(26)+ord('a')) . chr(rand(26)+ord('a')); print crypt( $inp,$i ),"\n";

    But you can't use the encrypted form to connect to some service that needs the password. That is not possible!

    If that is what you wanted you have to store the password in the clear. You can only really secure it if you store the password in a file only the script can read (in unix the script has to have its suid-flag set so it is executed with the rights of the script owner and the password file should be only readable by the script owner)

Re: Mention password in the script -encrypted form
by zentara (Archbishop) on Feb 19, 2009 at 15:54 UTC
    You can do something as simple as convert your password to hex, then convert it back. Or this nice uuencode method
    #!/usr/bin/perl use warnings; use strict; #by fokat of perlmonks my $string = 'justanotherperlhacker'; print "$string\n"; my $obscure = pack("u",$string); print "$obscure\n"; my $unobscure = unpack(chr(ord("a") + 19 + print ""),$obscure); print "$unobscure\n";
    Or if you need deeper security, encrypt it with any a of various modules, then base64encode it into a string. In the script, send the encoded password to a sub, and return the decoded. That way, unless they are hacker-savvy enough to put in a print statement, no one should actually see the password in plain decoded text.

    I'm not really a human, but I play one on earth My Petition to the Great Cosmic Conciousness
Re: Mention password in the script -encrypted form
by Lawliet (Curate) on Feb 19, 2009 at 22:10 UTC

    If you just want to obfuscate it a little (in case you have to open the file in front of untrustworthy people), I suggest to use a combination of map, ord, and chr. You have to first create a test script and run the password through some ord's and chr's to get an obscure string. Then, reverse the previous algorithm and place it in your script. I would give you an example of how I did this but it is not with me right now. :(

    And you didn't even know bears could type.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://745051]
Approved by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (8)
As of 2014-12-29 11:33 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (186 votes), past polls