This is better, but still open to compromise.<br><br>The problem is that the hashing is predictable. Weaker to medium strength passwords can be fairly easily discovered, considered:<br><br> #!/usr/bin/perl<br> $password = "hello";<br>
$sha->add($password);<br> print $sha->hexdigest;<br><br>This produces: aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d<br><br>Try googling this! You'll see pages of matches for the hex string, from which you can originally discover the original password.<br>
<br>This type of attack can be thwarted by salting the password, ie prepending some random characters to both the input string and output digest:<br><br>See <a href="http://www.perlmonks.org/index.pl?node_id=469789">http://www.perlmonks.org/index.pl?node_id=469789</a> for an example that combines SHA digests with salting.<br>
<br>Cheers<br>David<br><br><div class="gmail_quote">On Thu, Oct 8, 2009 at 2:10 PM, Toby Wintermute <span dir="ltr"><<a href="mailto:tjc@wintrmute.net">tjc@wintrmute.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
2009/10/8 John Thornton <<a href="mailto:jdthornton@ozemail.com.au">jdthornton@ozemail.com.au</a>>:<br>
<div class="im">> So, does anyone here know how to<br>
> hash/encrypt/disguise passwords that are in plain text, as the password is<br>
> on my computer in the .yml file.<br>
<br>
</div>use Digest::SHA;<br>
my $password = "secret_password";<br>
my $sha = Digest::SHA->new;<br>
$sha->add($password);<br>
print "My hashed result is: " . $sha->hexdigest ."\n";<br>
_______________________________________________<br>
Melbourne-pm mailing list<br>
<a href="mailto:Melbourne-pm@pm.org">Melbourne-pm@pm.org</a><br>
<a href="http://mail.pm.org/mailman/listinfo/melbourne-pm" target="_blank">http://mail.pm.org/mailman/listinfo/melbourne-pm</a></blockquote></div><br>