If you're using a '.htpasswd' style system, use MD5 crypt instead of DES. MD5 is much harder to crack than the simple DES encryption used by default, and it's perfectly compatible, at least when it comes to using Perl and crypt(). More on that in a second.

If you are storing passwords on your system, you want to ensure that even if the file should fall into the wrong hands, there is no easy way into your system. This is effected by having the passwords stored encrypted, just like they are in the UNIX '/etc/passwd' file (or, '/etc/shadow' which is more common these days). Since the passwords are sent via HTTP or a cookie, or some other mechanism in a non-encrypted way (even over "encrypted" SSL, they are decrypted into plain-text by the server for authentication), the encrypted passwords are no use since you still don't know the password to gain access.

As distributed.net proved, DES encryption is quite flimsy and hardly provides any security at all. You should use MD5 instead, which is a much more robust algorithm.

The trick to using MD5 instead of DES is in how you supply the "salt" to the crypt() function. If you follow the docs, you would supply two random letters. For MD5, you use eight, which allows for more variations when it is stored encrypted, which translates into better security.

Here's a standard-issue MD5 salt generator:

    my (@chars) = ('a'..'z','A'..'Z','0'..'9','.','/');

    sub md5_salt
    {
            my ($return) = '$1$';

            $return .= $chars[rand($#chars+1)] foreach (0..7);

            return $return;
    }
[download]

It is used just like always:

     $encrypted_passwd = crypt($passwd, md5_salt());

     # For testing...
     if (crypt($passwd_guess,$passwd_encrypted) eq
         $passwd_encrypted)
     {
          # Got it.
     }
[download]

So you get passwords that are encrypted like:

     $1$1PUXLuZE$P.LfclRO9SKqTf2BQK.yD1
     $1$t7AJPueY$1ivH/pIhxnjEIx10QzaIi.
     $1$lvWzTNnn$JFsfy9ALLJS3Dpi4OHMVo1
[download]

Which are, incidentally, all the same password ('shjdajksds') with different "salt".

If you are using a database, such as MySQL, you could use the built-in PASSWORD() function which does the encryption for you. Or, you could use your own. It depends on the security of your application.

What you should not ever do is store passwords as plain-text. So, yes, encrypt the passwords in the file, but don't bother encrypting the whole file.

---

---

• Are you posting in the right place? Check out Where do I post X? to know for sure.
• Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:

  <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>

• Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
• Want more info? How to link or How to display code and escape characters are good places to start.