Re: prompt_password()
- Posted by jimcbrown2 (admin) Jun 30, 2012
- 1346 views
I'll work on one later today and post it for inspection.
And here it is ...
include std/graphics.e include std/math.e /* Returns an encoded password based on the user's input. The actual password itself is not returned so the value returned by this function is safe to store because even if viewed, the original */
While I like this idea along with other features of this function (like the concept of having a password quality checker, or the ability to compress the display chars so the user can type in an extra-long password or pass phrase), I don't think this the right place to deal with hashing the password.
In many cases, the application ask the user for the password, then pass it on to another (e.g. telnet, FTP, HTTP basic AUTH). In other cases, the application will have to hash or encrypt the raw value of the password in a certain way and then pass that hash on (e.g. SSH, HTTP Digest AUTH) and if prompt_password is returning the password with the wrong hash, then that's the end of that. The inability of this function to accommodate that makes it of significantly limited utility imvho.
While I like the idea of the quality checker, I think the implementation is quite raw. There's no simple length checking (though this can be determined by the other information returned by the quality checker), and there's no protection against using dictionary words or too common passwords ala cracklib.
