README
1This module is in alpha-testing. Build in the usual way; send bug reports
2and patches to me at the address below. From the documentation:
3
4NAME
5 Term::ReadPassword - Asking the user for a password
6
7SYNOPSIS
8 use Term::ReadPassword;
9 while (1) {
10 my $password = read_password('password: ');
11 redo unless defined $password;
12 if ($password eq 'flubber') {
13 print "Access granted.\n";
14 last;
15 } else {
16 print "Access denied.\n";
17 redo;
18 }
19 }
20
21DESCRIPTION
22 This module lets you ask the user for a password in the
23 traditional way, from the keyboard, without echoing.
24
25 This is not intended for use over the web; user authentication
26 over the web is another matter entirely. Also, this module
27 should generally be used in conjunction with Perl's crypt()
28 function, sold separately.
29
30 The read_password function prompts for input, reads a line of
31 text from the keyboard, then returns that line to the caller.
32 The line of text doesn't include the newline character, so
33 there's no need to use chomp.
34
35 While the user is entering the text, a few special characters
36 are processed. The character delete (or the character backspace)
37 will back up one character, removing the last character in the
38 input buffer (if any). The character CR (or the character LF)
39 will signal the end of input, causing the accumulated input
40 buffer to be returned. And, optionally, the character Control-C
41 may be used to terminate the input operation. (See details
42 below.) All other characters, even ones which would normally
43 have special purposes, will be added to the input buffer.
44
45 It is not recommended, though, that you use the as-yet-
46 unspecified control characters in your passwords, as those
47 characters may become meaningful in a future version of this
48 module. Applications which allow the user to set their own
49 passwords may wish to enforce this rule, perhaps with code
50 something like this:
51
52 {
53 # Naked block for scoping and redo
54 my $new_pw = read_password("Enter your new password: ");
55 if ($new_pw =~ /([^\x20-\x7E])/) {
56 my $bad = unpack "H*", $1;
57 print "Your password may not contain the ";
58 print "character with hex code $bad.\n";
59 redo;
60 } elsif (length($new_pw) < 5) {
61 print "Your password must be longer than that!\n";
62 redo;
63 } elsif ($new_pw ne read_password("Enter it again: ")) {
64 print "Passwords don't match.\n";
65 redo;
66 } else {
67 &change_password($new_pw);
68 print "Your password is now changed.\n";
69 }
70 }
71
72 The second parameter to read_password is the optional
73 `idle_timeout' value. If it is a non-zero number and there is no
74 keyboard input for that many seconds, the input operation will
75 terminate. Notice that this is not an overall time limit, as the
76 timer is restarted with each new character.
77
78 The third parameter will optionally allow the input operation to
79 be terminated by the user with Control-C. If this is not
80 supplied, or is false, a typed Control-C will be entered into
81 the input buffer just as any other character. In that case,
82 there is no way from the keyboard to terminate the program while
83 it is waiting for input. (That is to say, the normal ability to
84 generate signals from the keyboard is suspended during the call
85 to read_password.)
86
87 If the input operation terminates early (either because the
88 idle_timeout was exceeded, or because a Control-C was enabled
89 and typed), the return value will be `undef'. In either case,
90 there is no way provided to discover what (if anything) was
91 typed before the early termination, or why the input operation
92 was terminated.
93
94 So as to discourage users from typing their passwords anywhere
95 except at the prompt, any input which has been "typed ahead"
96 before the prompt appears will be discarded. And whether the
97 input operation terminates normally or not, a newline character
98 will be printed, so that the cursor will not remain on the line
99 after the prompt.
100
101SECURITY
102 You would think that a module dealing with passwords would be
103 full of security features. You'd think that, but you'd be wrong.
104 For example, perl provides no way to erase a piece of data from
105 memory. (It's easy to erase it so that it can't be accessed from
106 perl, but that's not the same thing as expunging it from the
107 actual memory.) If you've entered a password, even if the
108 variable that contained that password has been erased, it may be
109 possible for someone to find that password, in plaintext, in a
110 core dump. And that's just one potential security hole.
111
112 In short, if serious security is an issue, don't use this
113 module.
114
115AUTHOR
116 Tom Phoenix <rootbeer@redcat.com>
117
118SEE ALSO
119 Term::ReadLine, the "crypt" entry in the perlfunc manpage, and
120 your system's manpages for the low-level I/O operations used
121 here.
122
123