Thread: Insecure Password Protection for a File

  1. #1
    Registered User
    Join Date
    Feb 2012
    Posts
    17

    Lightbulb Insecure Password Protection for a File

    Hi
    I have to write a program that asks a password from user to access a file , then options for searching, adding, modifying & deleting a record of employee - a structure containing int, string*2, float.

    I decided to write password in starting of the file then '\n' and then the structure data.

    this is my code for password thing:

    Code:
    FILE *file;
    if( ! ( file = fopen("employee.txt", "r+") ) )
    {
        printf("Error Opening in one of the modes. Program Terminating ...");
        delay(1000);
        exit(1)
    }
    
    
    
    
    char fpass[20], pass[20];
        fgets(pass, 20, file);
        for(ch=0; pass[ch] != '\n'; ch++)
            strcat(fpass, pass[ch]);
        fseek(file, strlen(fpass) + 1, SEEK_SET);
    strcpy(pass, "");
    
    
    
    while(strcmp(fpass, pass))
    {
        system("cls");
        printf("\n\n\n\n\n\n\n\t\t\tEnter Password: ");
        scanf("%s" pass);
        
        retries += 1;
        if(retries == 5)
        {
            printf("\n\n\t\t\t\tRetry Limit Exceeded! Program Terminating ...\n");
            delay(1000);
            exit(1);
        }
    }
    I know this is not exactly what one would call a password protection, so not sarcasm please :P

    But then I thought I should add an option to change password, which is the main problem right now!

    I thought I can save password in file as : "mypassword \n" so that total length is 20 (max). then just put new password and while reading password initially, change:

    Code:
        for(ch=0; pass[ch] != '\n'; ch++)
            strcat(fpass, pass[ch]);
    to

    Code:
        for(ch=0; pass[ch] != '\n' && pass[ch] != ' '; ch++)
            strcat(fpass, pass[ch]);
    Is this really a stupid way ( answer ignoring that this is not actual protection ... same old story ) ?

    Also, I would love to know a better and not too difficult than this method to password protect.

    Thanks for bearing through this boring post !!
    Cheers !!

    EDIT:

    There are 10 spaces before '\n' in "mypassword \n"
    Last edited by Sourabh Verma; 11-15-2012 at 09:40 AM.

  2. #2
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,660
    > strcat(fpass, pass[ch]);
    Well the first immediate problem is that strcat doesn't take a single char as the second parameter.

    > char fpass[20], pass[20];
    > fgets(pass, 20, file);
    The most you will get is 18 characters, plus the \n, plus the \0

    If you want a fixed-length record of 20 characters (as a readable line), then your buffer needs to be 22 chars.

    When it comes to writing the password, you need to make sure it is padded with sufficient spaces to make sure the overall length is again 20 chars + newline + \0

    Having done fgets(pass, 20, file);, the fseek() is unnecessary, as the first record will immediately follow.
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.

  3. #3
    Registered User
    Join Date
    Feb 2012
    Posts
    17
    Quote Originally Posted by Salem View Post
    > strcat(fpass, pass[ch]);
    Well the first immediate problem is that strcat doesn't take a single char as the second parameter.
    Tried this code on codepad.org

    Code:
    #include <string.h>
    void main()
    {
      char a[20] = "Hi" , b = 'a';
      strcat(a, &b);
      printf("%s", a);
    }
    It gave output: HiaHia

    Why? 0.o


    Quote Originally Posted by Salem View Post
    > char fpass[20], pass[20];
    > fgets(pass, 20, file);
    The most you will get is 18 characters, plus the \n, plus the \0
    \0 as the string terminator?
    If there are 20 chars then \0 then \n then i need to check for just spaces right? that would be better, right?

  4. #4
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,660
    > It gave output: HiaHia
    > Why? 0.o
    Pure dumb luck.

    Since the second parameter is supposed to be "pointer to a \0 terminated string", and &b is NOT such a thing (yes, it's a pointer to a char, but not a \0 terminated string).
    The compiler is happy (hey, a char pointer - great), but it fails on the run-time semantics of strcat()

    So you end up with some random garbage, maybe "success" (of a sort, depending on luck), or an outright crash and burn.
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Replies: 18
    Last Post: 04-14-2012, 10:17 PM
  2. password protection programme
    By meharsri in forum C Programming
    Replies: 2
    Last Post: 02-27-2011, 06:01 PM
  3. file protection
    By ramshastri in forum C Programming
    Replies: 6
    Last Post: 10-06-2009, 04:09 PM
  4. Win XP System File Protection
    By siavoshkc in forum Tech Board
    Replies: 6
    Last Post: 08-15-2007, 12:20 AM
  5. password protection for xml file
    By anil_beloved in forum Windows Programming
    Replies: 0
    Last Post: 06-27-2005, 08:44 AM