http://www.perlmonks.org?node_id=223673


in reply to Re: ??Mnemonic Passwords??
in thread ??Mnemonic Passwords??

crypt and other one-way hashing algorithms are not appropriate for every application. Ever try to maintain thousands of user accounts where everyone's password is crypt'ed? It's no fun when you have no way of reminding them what their password is when they forget. Storing passwords in the clear may not be the most secure thing in the world, but if the application isn't critical the convenience may FAR outweigh the lack of security. Both Slashdot and Perlmonks store their password lists un-crypt'ed for that very reason, so that they can email it to people who forget.

The original poster's ROT13 encryption might not be secure, but it's at least reversable, which gives you (slightly) more security than storing plaintext passwords. Sure, he's putting up a chain-link fence instead of a guard tower, but there's a reason why people still use chain-link fences. :-)

Gary Blackburn
Trained Killer

Replies are listed 'Best First'.
Re: Re: Re: ??Mnemonic Passwords??
by tachyon (Chancellor) on Jan 02, 2003 at 04:54 UTC

    Given that you can have an industrial strength fence for essentially the same price as a decorative ROT13 one why not just: 

    use Crypt::Blowfish;
use Crypt::CBC;

$KEY = 'GNUisnotUnix';  # Blowfish will take 56 bytes (448 bits) of ke
+y
my $cipher = new Crypt::CBC( $KEY, 'Blowfish' );

my $enc = encrypt('Hello World');
my $dec = decrypt($enc);
print "$enc\n$dec\n";

sub decrypt { defined $_[0] ? $cipher->decrypt_hex($_[0]) : '' }
sub encrypt { defined $_[0] ? $cipher->encrypt_hex($_[0]) : '' }

    [download]

    cheers

    tachyon

    s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

[reply]
[d/l]
      Well, yeah, there's lots of two-way ciphers available, which would allow you to protect the stored passwords. But even so it's overkill for lots of applications. It will keep Evil Doers from compromising your passwords if they have access to your filesystem, but if they have access to your filesystem you have bigger problems anyway. I personally don't bother encrypting passwords unless money is involved, but, as always, TMTWTDI. :-)

      Gary Blackburn
      Trained Killer

[reply]

In Section Seekers of Perl Wisdom