develooper Front page | perl.beginners | Postings from January 2002

Security advice: SHA vs crypt for authenticator

Thread Next
January 16, 2002 10:46
Security advice: SHA vs crypt for authenticator
Message ID:
I'm using a nice little GDBM file for authentication. It just stores users
and passwords as SHA1 hashes. When I need to authenticate someone (fewer
than 15 lines in the dbm file) I just tie it and compare the SHA'd user
input against the hex value in the dbm file. (The file is not publicly

It has been suggested, however, that this is not adequately secure and that
the passwords would be better stored crypted or some such. I don't really
see the difference between a SHA password and a crypted password in this
context. Wouldn't they be equally difficult to crack?

Oh, I should add that the authenticator runs as part of a server daemon on
a remote system, and so authentication is performed as the same user each

Just wanted to collect some opinions before I go further. (I'm perfectly
willing to accept the possibility I'm wrong--if I weren't I wouldn't
ask--so fire away.)


Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About