Re: [Catalyst] Storing a password hash with DBIC

[Brandon Black]

On 8/10/06, Christopher H. Laco <[EMAIL PROTECTED]> wrote:

Jonas wrote:
> Hi,
> I'm trying to store an hashed password in a database using DBIC. What
> is the best way to create the digest of the password?
> I tried with deflate, but deflate only runs when the argument is a reference.
> Then i tried with an HTML::Widget Filter but the filter runs before
> the constraints, so the password failed to match with the confirm
> field.
> There are any other way of doing this without explicitly making the
> hash in the insert and update methods?
>
> Thanks,
> --Jonas

http://search.cpan.org/dist/DBIx-Class-DigestColumns/

Also, you could use something like:

http://pajhome.org.uk/crypt/md5/sha1src.html

And do your hashing in _javascript_ in the browser.  Basically you want to hook onClick/onSubmit/whatever for your login form, and hash the contents of the passwd field before doing the actual submission, using a _javascript_ sha1 (or other algorithm of your choosing).

Its much safer from a security standpoint to hash at the browser, as this prevents the user's cleartext password from being sent over the wire at all, and keeps your code/logs/employees from ever having a chance at knowledge of the actual password.

-- Brandon

_______________________________________________
List: Catalyst@lists.rawmode.org
Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/
Dev site: http://dev.catalyst.perl.org/