develooper Front page | perl.beginners | Postings from January 2002

Security advice: SHA vs crypt for authenticator

Thread Next
From:
GoodleafJ
Date:
January 16, 2002 10:46
Subject:
Security advice: SHA vs crypt for authenticator
Message ID:
OF0680FA85.AC0574BB-ON88256B43.00665B2C@immunex.com
Hello,
I'm using a nice little GDBM file for authentication. It just stores users
and passwords as SHA1 hashes. When I need to authenticate someone (fewer
than 15 lines in the dbm file) I just tie it and compare the SHA'd user
input against the hex value in the dbm file. (The file is not publicly
readable.)

It has been suggested, however, that this is not adequately secure and that
the passwords would be better stored crypted or some such. I don't really
see the difference between a SHA password and a crypted password in this
context. Wouldn't they be equally difficult to crack?

Oh, I should add that the authenticator runs as part of a server daemon on
a remote system, and so authentication is performed as the same user each
time.

Just wanted to collect some opinions before I go further. (I'm perfectly
willing to accept the possibility I'm wrong--if I weren't I wouldn't
ask--so fire away.)

Thanks,
John


Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About