On 12/10/2012 09:12 PM, Ed Leafe wrote:
On Dec 10, 2012, at 8:55 PM, Stephen Russell <[email protected]> wrote:
Any good password inbound will be salted and that result is found in the table.
Salted with what?
Are you using a single salt for the entire application? That's almost
useless.
Using a single salt for the entire application has its advantages.
In my application each customer's record has a password field. The
password is based on both a universal salt phrase, that is part of the
app's configuration file, and also the password is encrypted, so it
cannot be read. I can force all customer to renew their password by
changing the universal salt phrase in the configuration file.
Perl uses a one way encryption, so if a user losses their password, they
have to create a new one. Even I can't tell a customer what their
password is; because, in Perl their is no decryption mechanism.
Once a user logs into the app, they connect to the database under the
app's normal PostgreSQL user, that has limited privileges. When the
administrator logs into the app using his super user PostgreSQL user
name and password, the app connects to the PostgreSQL database using a
full privileges.
The below line calls "sub crypt_password" in the app's classes passing
the password and salt key. Sub crypt_password uses the salt key and
crypt function to return an salted, encrypted password back to the
$cryptedPass variable used when the customer's record is inserted:
my $cryptedPass = $oMy->crypt_password( $FORM{ "add_password" }, $oMy->{
SALT_KEY } );
############################################
## Class: Sm_shared_forms.pm
## crypt_password
############################################
sub crypt_password
{
my $self = shift;
my ( $password, $salt ) = @_;
$password = crypt( $password, $salt);
return $password
}
Regards,
LelandJ
-- Ed Leafe
[excessive quoting removed by server]
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
