[Melbourne-pm] Obfuscating passwords in configurations

Sam Watkins sam at nipl.net
Wed Dec 1 06:36:10 PST 2010

On Wed, Dec 01, 2010 at 09:29:10PM +1100, Leigh Sharpe wrote:
> Hi All, 
>  I'm using Config::Simple to retrieve configuration options from an external file. One of the configuration options is a password, but I'm really not keen on having a password in plain-text in a config file. Just setting the config file to be non-world-readable isn't really adequate. Can anybody suggest a way of obfuscating the password in the config file, and being able to retrieve it in my program?

Ok, I was silly enough to implement some sort of password encryption /
decryption thing in perl.  It uses a 20-byte secret, which shouldn't go in the
same config file, random salt, sha1, XOR and base64 encoding.  I think this
would deter casual inspection at least, and it would be extremely hard to break
without the secret... unless I've made some stupid mistake!

A limitation is that the password may not be more than 20 characters long.
One might encrypt longer passwords in < 20 character sections.

You could use this or similar to send encrypted passwords to users, e.g. in a
web cookie, keeping the secret hidden from them on a server.


I guess this is probably overkill for your needs.


More information about the Melbourne-pm mailing list