Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Re: Password Encryption and Decryption

by JavaFan (Canon)
on Mar 23, 2012 at 19:13 UTC ( #961293=note: print w/replies, xml ) Need Help??


in reply to Password Encryption and Decryption

Are you sure you want to use an encryption method that allows for decryption? That is not what most people consider to be a secure way of dealing with passwords. And it's hardly more secure than storing them in plain text.

Replies are listed 'Best First'.
Re^2: Password Encryption and Decryption
by slayedbylucifer (Scribe) on Mar 23, 2012 at 19:22 UTC

    I am not sure whether I really want what you have asked. But I have to pass the REAL password to my application because it will never recognize a crypted password. BTW, I am logging to my application with my Active Directory Account and hence I am providing the my AD password in clear text format in my script. So I wanted not to write it in clear text and rather have it in the encrypted form and then decrypt it on the fly every time the script runs. THis is the reason I need a decryption mechanism.

    Please do let me know if am thinking in wrong direction.

      What makes this more secure than storing passwords in plain text? If a program can automatically decrypt the passwords, an attacker can as well - he'd just run the program. Of course, you could protect the "encrypted" password with a password, but than you're back to the beginning, aren't you?

        Ok, so then is there a way I can have my script without a clear text password and still make it work?....

        My application will accept only AD password in their REAL form. Because sending an encrypted password to the application will get me access denied as that would be a wrong password.

        The application provides Perl API for automating task. So, I wanted to know is there a way to get this done in perl.

        Thanks.

      If you need to authenticate your users against a LDAP (like Active Directory), you have not to store user's passwords at all. You need not to store them.

      You need to use LDAP authentication for your appliation, when the user insert the login/password pair, you forward these info to Active Directory and if it confirms you know that the user is authenticated in that system.

Re^2: Password Encryption and Decryption
by jose_m (Acolyte) on Mar 25, 2012 at 22:22 UTC

    use a password file and cat that file to get the password when you need it. i agree with everyone here encrypting and decrypting is futile since an attacker can just run your decrypter and get the file.

      i agree with everyone here encrypting and decrypting is futile

      Fair enough, 'everyone' is saying don't encrypt/decrypt passwords. That might lead someone to the (incorrect) conclusion that 'everyone' thinks passwords should just be stored in plain text.

      What 'everyone' was failing to say is that the correct approach is to stored hashed passwords rather than encrypted passwords.

        No, noone is failing to say that. Everyone but you is realizing that storing a hashed password isn't going to solve the OPs problem.

        Here's an example how hashed passwords are utterly useless: You have an application that needs access to a database. Access is password controlled. I give you the hashed password, and tell you to write a script to retrieve a piece of data from the database. Now, what's your plan? How do you intend to use this hashed password?

        Hashed passwords are great if your purpose is to check whether a given password is valid. However, the point of hashing passwords is to make retrieving them impractical. Which means that if you need the plain text password, hashed passwords are not the answer.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://961293]
help
Chatterbox?
[marinersk]: sub newtest{my $expected_result = &target('foo'); my $actual_result = &target('foo'); if ($actual_result eq $expected_result) { &tdd_success(); } else { &tdd_fail(); } } # Test works after three years!
[choroba]: or nobody bothered...
[choroba]: The problem was bigger, as the test tried to call a method that didn't exist anymore
[marinersk]: :: ducking ::
[choroba]: because, someone renamed the method, but didn't notice it was used in the test, as the test was skipped
[marinersk]: Well, if the method doesn't exist, it would be hard to pass the test.
[choroba]: later, someone removed the new method, as all its usage places were safe, but didn't notice the test still used the old name
[choroba]: fortunately, it wasn't that hard to replace the method and fix a few remaining failures due to the changes we did to the codebase over the years
[marinersk]: choroba Sounds like a process improvement opportunity; tests may not all need to be run, but they should all be compiled with perl -c before check-in/promotion happens.
[choroba]: so, now I have the test, so I can start making changes in the code. Back to the original ticket, yay!

How do I use this? | Other CB clients
Other Users?
Others pondering the Monastery: (14)
As of 2017-05-25 15:10 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?