Thread: Password Scheme.

  1. #1
    Registered User
    Join Date
    Mar 2004
    Posts
    5

    Password Scheme.

    What is the most efficient form of creating a password scheme?
    So far, I have seen some examples.
    The only method I do not want to use is the array method.
    Also, would it be possible to see the code for suggested schemes?
    Any help is very much appreciated

  2. #2
    Registered User
    Join Date
    Dec 2004
    Location
    The Netherlands
    Posts
    91
    encryption maybe?

  3. #3
    Registered User
    Join Date
    Mar 2004
    Posts
    5
    No, what I meant was the best method of password protecting part of your program. Say a function for example.
    And if someone could provide code for it

  4. #4
    Registered User Kybo_Ren's Avatar
    Join Date
    Sep 2004
    Posts
    136
    Well, for starters, some guidelines:

    - Don't store the password in plain text. This can be read and changed by anyone. Store an MD5 hash of the password if you have to
    - Don't compare the password (hash) to another one. for instance, don't do:
    Code:
    std::string thehash="thisisahash";
    std::string passwd; //read this in later and hash it
    
    ...
    
    if(hash(passwd) == thehash)
    {
       //now do the function
    }
    This is also easy to change, thus eliminating your security measures.

    The best method I can think of is to hash the inputted password, and check if it exists in a web database of valid hashes (and make a maximum request of once per 10 seconds or something, so brute forcing is unrealistic). This has its drawbacks, but if the web database is secure from hackers, it's pretty secure.

  5. #5
    yes, I'm registered!!! algi's Avatar
    Join Date
    Nov 2004
    Location
    Ipswich
    Posts
    161
    passwords are really easy to use. Remember to #include <string>

    then do the rest with if and else
    I started out with nothing and I still have most of it left.

  6. #6
    Rad gcn_zelda's Avatar
    Join Date
    Mar 2003
    Posts
    942
    Algi, if you merely do...

    Code:
    if(password == "rightpassword")
    {
      lettheuserin;
    }
    else
    {
      dontletthemin;
    }
    That's too easy to read. What I think he needs to do is encrypt the password, like apsync said earlier so that the only way to get in is either to know the password, or to use brute force. As Kybo said, having a ten second delay between retries would make brute force impractical, time-wise.

  7. #7
    yes, I'm registered!!! algi's Avatar
    Join Date
    Nov 2004
    Location
    Ipswich
    Posts
    161
    can you read .exe files
    I started out with nothing and I still have most of it left.

  8. #8
    Rad gcn_zelda's Avatar
    Join Date
    Mar 2003
    Posts
    942
    No, which is what confuses me about his question.

    Could you clarify that for us, WeZ?

  9. #9
    Handy Andy andyhunter's Avatar
    Join Date
    Dec 2004
    Posts
    540
    can you read .exe files
    Yes you just do a hex dump of the exe and all string literals become readily apparent, among other things. Doesn't anyone remember debug from DOS? Anyway these days most development environments will do it for you, providing even a nicer interface than what debug offered.
    i don't think most standard compilers support programmers with more than 4 red boxes - Misplaced

    It is my sacred duity to stand in the path of the flood of ignorance and blatant stupidity... - quzah

    Such pointless tricks ceased to be interesting or useful when we came down from the trees and started using higher level languages. - Salem

  10. #10
    Handy Andy andyhunter's Avatar
    Join Date
    Dec 2004
    Posts
    540
    I don't know if this will point you in the right direction Wez but we have confidential software which encapsulates its functions in dlls that the main program accesses at run time. You open the main program via a starter program which dynamically decryptes the dlls for the main program when the main program links to them.

    So to sum up short and sweet:

    1. Put your functions you want to protect in a dll(server dll or exe)
    2. Encrypt your dll
    3. create a interpreter which prompts user for password and starts main program.
    4. Have interpreter decrypt dll at link time.
    5. When program releases dll at shutdown re-encrypt.

    Happy coding!!!!
    i don't think most standard compilers support programmers with more than 4 red boxes - Misplaced

    It is my sacred duity to stand in the path of the flood of ignorance and blatant stupidity... - quzah

    Such pointless tricks ceased to be interesting or useful when we came down from the trees and started using higher level languages. - Salem

  11. #11
    Registered User
    Join Date
    Dec 2004
    Location
    The Netherlands
    Posts
    91
    ill write an example code in a few minutes

    EDIT: //there you go

    Code:
    #include <windows.h>
    #include <stdio.h>
    
    char plain_password[] = "mypw";
    char encrypted_password[] = ",816A";
    
    void encrypt(char string[])
    {
    	int B,A = sizeof(plain_password);
    	for(B=0;B<A;B++)
    		string[B] ^= 'A';
    }
    
    void decrypt(char string[])
    {	
    	int B,A=sizeof(encrypted_password);
    	for(B=0;B<A;B++)
    		string[B] ^= 'A';
    }
    
    int main()
    {
    	encrypt(plain_password);
    	printf("plain_password[] is now: %s\n", plain_password);
    
    	decrypt(encrypted_password);
    	printf("encrypted_password[] is now: %s\n", encrypted_password);
    	return 0;
    }
    if you use this way and if you open the exe with a hex editor or even with notepad, u wont see 'mypw' but ',816A' and they need to know your function to decrypt it
    Last edited by apsync; 01-02-2005 at 04:43 AM.

  12. #12
    Registered User Kybo_Ren's Avatar
    Join Date
    Sep 2004
    Posts
    136
    and they need to know your function to decrypt it
    Which is ridiculously easy with a disassembler. Especially with that function: just a xor.

    Alas, there really aren't very many super-secure solutions.

  13. #13
    Registered User
    Join Date
    Dec 2004
    Location
    The Netherlands
    Posts
    91
    true, but its ok to start with
    i think xor was also mine first encryption

    else get/read a book about encryption
    Last edited by apsync; 01-02-2005 at 07:20 AM.

  14. #14
    VA National Guard The Brain's Avatar
    Join Date
    May 2004
    Location
    Manassas, VA USA
    Posts
    903

    Lightbulb Exclusive OR

    Here is a little something I whipped up that will demonstrate a simple encryption technique. Simply by applying a XOR mask (using the ^ xor operator), you can encrypt your password, store it in a file and not worry about someone deciphering your password.

    With this program, you get only one chance in the beginning to create your password. IF you want to change your password, you will have to exit the program, and physically delete the ciphertext.dat file.

    This program is based on this tutorial.

    Code:
    #include<iostream>
    #include<fstream>
    #include<cstdlib>
    #include<cctype>
    #include<conio.h>
    using namespace std;
    
    int main()    
    {
    
    	ifstream in_stream;
    	ofstream out_stream;
    
    	char choice;
    	char key[10] = "VsRdLwPoAi";	//make an arbitrary private key
    	string password;
    	string user_entry;			
    
    	clrscr();	
    
    	in_stream.open("ciphertext.dat");
    	if(in_stream.fail())	
    	{
    		cout << "\nPassword has not been created, would you like "
    		     << "to create one now? (Y/N) ";
    		cin >> choice;
    
    		if(toupper(choice)=='N')
    
    			exit(0);
    			
    		cout << "\n\nEnter a password (10 characters or less): ";
    		cin >> password;
    		
    		//apply XOR mask encryption
    		for(int i=0; i<10; i++)
    	
    			password[i] = password[i]^key[i];
    
    		out_stream.open("ciphertext.dat",ios::app);
    		if(out_stream.fail())
    		{
    			cout << "\a\n\nOutput file opening failed.\n";
    			exit(1);
    		}
                                
    	        //Send encrypted password to file
    		out_stream << password;
                             
                    out_stream.close();  	
    	}	
                   
    	in_stream >> password;	//Retrieve encrypted password from file
    
            in_stream.close();
    
    	//decrypt password
    	for(int i=0; i<10; i++)
    
    		//This second application of XOR will return 
    		//the password back to original form
    		password[i] = password[i]^key[i];
    
    	do{	
    
    		cout << "\n\nEnter your password: ";
    		cin >> user_entry;			
    
    		if(user_entry == password)
    				
    			cout << "\n\nPassword is correct.";
    
    		else
    
    			cout<< "\a\n\n*** Password incorrect ***";
    
    		cout << "\n\nWould you like to try again? (Y/N) ";
    		cin >> choice;
    
    		clrscr();
    
    	}while(toupper(choice)!='N');
    
    return 0;
    }

    I have actually opened the .exe with a hex editor and there is no evidence of the password or private key. Also, I have opened ciphertext.dat with notepad and all I saw was garbled text. XOR'ing a password alone may not be 100% fool-proof, but it is much more secure than using a literal string password. You can use this simple technique as part of a larger scheme.
    Last edited by The Brain; 01-02-2005 at 09:31 PM.
    • "Problem Solving C++, The Object of Programming" -Walter Savitch
    • "Data Structures and Other Objects using C++" -Walter Savitch
    • "Assembly Language for Intel-Based Computers" -Kip Irvine
    • "Programming Windows, 5th edition" -Charles Petzold
    • "Visual C++ MFC Programming by Example" -John E. Swanke
    • "Network Programming Windows" -Jones/Ohlund
    • "Sams Teach Yourself Game Programming in 24 Hours" -Michael Morrison
    • "Mathmatics for 3D Game Programming & Computer Graphics" -Eric Lengyel

  15. #15
    Registered User
    Join Date
    Nov 2004
    Location
    Pennsylvania
    Posts
    434
    Yes this will encrypt your password but all someone needs to do is get a decompiler and find the key. XOR-ing a password is secure to a layman but even a novice programmer can break it, havent you listened to what people have been saying? XOR is good for encrypting strings with a KEY but the key is stored in your head not on a computer. Wez, good luck with your program if you figure out a good scheme tell me.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Problem reading a password from a file.
    By medeshago in forum C Programming
    Replies: 15
    Last Post: 12-21-2008, 07:20 AM
  2. [Q]Hide Password
    By Yuri in forum C++ Programming
    Replies: 14
    Last Post: 03-02-2006, 03:42 AM
  3. written command line password generator
    By lepricaun in forum C Programming
    Replies: 15
    Last Post: 08-17-2004, 08:42 PM
  4. Password prompt in unix w/o \b
    By rafe in forum C++ Programming
    Replies: 1
    Last Post: 10-09-2002, 08:54 AM
  5. password
    By hammers6 in forum C Programming
    Replies: 1
    Last Post: 10-10-2001, 12:14 AM