[thelist] Login Screen Security?

Joshua Olson joshua at waetech.com
Wed Nov 12 12:18:29 CST 2003


----- Original Message ----- 
From: <John.Brooking at sappi.com>
Sent: Monday, November 10, 2003 5:41 PM


> * Is the Perl "crypt" function (which says it works exactly like the
> crypt(3) function in the C library) a sufficient means of encrypting the
> password?

Yes, I'd think so.

> I'm letting the administrator set a "salt" value in the software
> configuration file, and when a password comes in from the login screen, I
> encrypt it with the same "salt" and compare the result to the encrypted
> value in the users file. Sound okay?

Great idea.

> * If my login screen is not going through an SSL layer, is that a
> hole?

Yes, it's a hole, unless you encrypt the form value via client-side
scripting before submittal.  This may or may not be tough if you don't wish
to expose the salt value.

<><><><><><><><><><>
Joshua Olson
Web Application Engineer
WAE Tech Inc.
http://www.waetech.com
706.210.0168



More information about the thelist mailing list