hello ppl,
i've been coding a perl script for xchat and i need to store the nick's passwords. i was wondering which encryption to use. picture this situation: i've got a system flaw and some guy hacks the machine and gets his hands on the passwd file; he has access to the script. what encryption would be the best for this situation?
thx in advance
If you're storing for comparison (authentication) purposes (e.g. user enters a password, you save it, then later ask for the password again for verification), then you can store an MD5 hash of the password rather than encrypting and storing the password itself. See Digest::MD5 or Digest::Perl::MD5. Use the second if you are unable to compile C code; it is slower, but should not be noticably slow for something small like passwords.
Using this method, you would take input from the user, and hash it with MD5. The output is a unique string that cannot be reversed to re-obtain the original data. This is useful for password comparison because you can hash the input from the user, then compare the stored value and new value to assure they are the same. The password never has to be stored.
If you're storing for later retrieval and usage then you need a form of encryption that you can reverse with a key. You would use this for encrypting files/data, such as a list of passwords that you want to store for use later. Try Rijndael, Blowfish, Twofish. Of course you need to obtain the key somehow, probably by prompting the user at run-time.
it's the 2nd one. i need to retrieve it later. i really didn't want to get a prompt from the user, since it'd be better to prompt the password and lose the encryption. what do you think of getting the key from something in the system, like the current dir or the output of uname -s. would it still be secure? what i'm doing here is to store some irc nickname passwords in a file and when we login the perl script auto identifies the user.
any ideas for secure automation?