In a message dated 5/2/99 6:34:34 PM, you wrote:
<<Adrian: How would you implement it so that the passwords remain
safe while the cgi can be placed in the downloads folder (so others
can make changes, bug fixes etc)?>>
that's easy, use a one way function like DES.
spice+zeroes > encrypted with password > random string
DES, in this implemention, is non reversable. To check the password
random string > decrypted with password > spice+zeroes
the spice is a random 2 char thingie to make the password VERY HARD to
reverse engineer. When checking to see if a password is correct, you can
ignore the two spice characters.
Example script (assumes you have some sort of DES external)
on makePassword user,password
global passwords
put "" into pwdString
-- make the spice which is just 2 random characters
repeat 2
put chartonum(random(255)+32) after pwdString
end repeat
-- add a string of zeroes
repeat 8
put "0" after pwdString
end repeat
put return&user&","&desEncrypt(pwdString) after passwords
if line 1 of passwords="" then delete char 1 of passwords
end makePassword
function validify user,password
global passwords
-- find user password
repeat with i=1 to the number of lines in passwords
if item 1 of line i of passwords=user then
-- found user, now validify
put item 2 of line i of passwords into pwdString
put desDecrypt(pwdString) into pwdString
-- delete the spice
delete char 1 to 2 of pwdString
-- now check to see if there are 8 zeroes
if pwdString="00000000" then return true
-- nope, incorrect password
return false
end if
end repeat
-- no such user
return false
end validify
The nice thing about this scheme, is not only does it ensure that nobody
knows anyone else's passwords, but the password file can be distributed to
everyone, allowing anyone to validify a password. I have no idea why anyone
else would need to validify a password, but I'd like to go with a solution
that gives as many options as possible (btw, this is the same system the *nix
uses).
