http://www.perlmonks.org?node_id=493086


in reply to Encrypting User/Pass sent by WWW::Mechanize

The only way you can protect your username and password from getting unencrypted out of your box into the wild internet is if you use a secure connection, such as https.

CountZero

"If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

Replies are listed 'Best First'.
Re^2: Encrypting User/Pass sent by WWW::Mechanize
by tilly (Archbishop) on Sep 19, 2005 at 06:38 UTC
    Not quite true. If the website is using Digest authentication, then your password is never transmitted in the clear. However most websites won't accept that, so you have to send your password in the clear.

    If this distresses people, it is no worse than typing name/password into a normal web form. (Perhaps this distresses you even more...)

      Well, I said "such as https" and I count Digest authentication as some form of secure connection (at least as far as username/password is concerned and that was the scope of the question). I should have made that more clear perhaps.

      CountZero

      "If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

Re^2: Encrypting User/Pass sent by WWW::Mechanize
by cdherold (Monk) on Sep 19, 2005 at 06:37 UTC
    Does it count if the webpage I am logging onto is https? I am guessing not, but thought I should ask just to make sure.

    If not, How hard would it be for me to set it up?

    (A) It would be very hard.
    (B) It would be pretty hard, but go here for help.
    (C) It's so easy, let me show you how.

      I suppose there are two aspects to keeping this username and password combination secure:

      • Firstly, the local storage of the script and the username and password it contains.
      • Second, the transmission of these details across the wider internet.

      For the first item, I'd say it would be difficult to securely store the password in the script. Even if you were to use some sort of encryption (and I'm no expert on this) then by virtue of running the script it would have to automatically decrypt the password for use. Therefore you'd need to have some other password or code phrase to restrict access to it, and then you might as well not store your original password in the script and just type it in every time.

      The alternative option is that you store the script + plain text username and password on one of those USB flash memory sticks that do encryption. They either force you to enter a password or some biometric data (fingerprint) and then they appear as a regular drive on your system. You can then just run the script from the removable flash drive.

      Getting back to Perl for the second point, you'd need to ensure that the web site you're talking to uses HTTPS (they really should do) and then just use the secure URL with WWW::Mechanize and you'll know that the details are encrypted across the internet.

      You will need the Crypt::SSLeay and relevant libraries (OpenSSL or the DLLs for Windows - the latter are installed if you use PPM to get Crypt::SSLeay) to use WWW::Mechanize with SSL sites though.

Re^2: Encrypting User/Pass sent by WWW::Mechanize
by cdherold (Monk) on Sep 19, 2005 at 06:45 UTC
    Should I be distressed? I thought I should be, but if it is the same as entering the data in a web browser as I do every day, then I feel less distressed ... I think.