Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

Re: Re: ??Mnemonic Passwords??

by Trimbach (Curate)
on Jan 02, 2003 at 03:23 UTC ( #223673=note: print w/replies, xml ) Need Help??


in reply to Re: ??Mnemonic Passwords??
in thread ??Mnemonic Passwords??

crypt and other one-way hashing algorithms are not appropriate for every application. Ever try to maintain thousands of user accounts where everyone's password is crypt'ed? It's no fun when you have no way of reminding them what their password is when they forget. Storing passwords in the clear may not be the most secure thing in the world, but if the application isn't critical the convenience may FAR outweigh the lack of security. Both Slashdot and Perlmonks store their password lists un-crypt'ed for that very reason, so that they can email it to people who forget.

The original poster's ROT13 encryption might not be secure, but it's at least reversable, which gives you (slightly) more security than storing plaintext passwords. Sure, he's putting up a chain-link fence instead of a guard tower, but there's a reason why people still use chain-link fences. :-)

Gary Blackburn
Trained Killer

Replies are listed 'Best First'.
Re: Re: Re: ??Mnemonic Passwords??
by tachyon (Chancellor) on Jan 02, 2003 at 04:54 UTC

    Given that you can have an industrial strength fence for essentially the same price as a decorative ROT13 one why not just:

    use Crypt::Blowfish; use Crypt::CBC; $KEY = 'GNUisnotUnix'; # Blowfish will take 56 bytes (448 bits) of ke +y my $cipher = new Crypt::CBC( $KEY, 'Blowfish' ); my $enc = encrypt('Hello World'); my $dec = decrypt($enc); print "$enc\n$dec\n"; sub decrypt { defined $_[0] ? $cipher->decrypt_hex($_[0]) : '' } sub encrypt { defined $_[0] ? $cipher->encrypt_hex($_[0]) : '' }

    cheers

    tachyon

    s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

      Well, yeah, there's lots of two-way ciphers available, which would allow you to protect the stored passwords. But even so it's overkill for lots of applications. It will keep Evil Doers from compromising your passwords if they have access to your filesystem, but if they have access to your filesystem you have bigger problems anyway. I personally don't bother encrypting passwords unless money is involved, but, as always, TMTWTDI. :-)

      Gary Blackburn
      Trained Killer

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://223673]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (3)
As of 2021-10-24 20:13 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    My first memorable Perl project was:







    Results (89 votes). Check out past polls.

    Notices?