Password program / general programming questions

So, I just decided to try picking up C++ programming as a hobby. I took a Java-based programming class back in high school, so I have a general idea what I'm doing (or so I think).
The program i made runs, but
A) it's very sloppy-looking (and I apologize for that).

B) it's really not practical "as-is" -- I would really like the password to be stored somewhere outside of this program. I'm not really sure how to do external references (or, if it's possible).

I'd love help w/ the "password" reference. I would really appreciate any general comments/critiques for how to make my programs look nicer/make more sense to viewers.
___________

Code:

//"Password program"
//this is a simple program I am using mostly just to learn/practice C++
// someday I might actually use this to pass-protect stuff maybe? (idk)

#include <iostream>

using namespace std;

int main()
{
    string password = "Pass";  //I really want to find a way to recover this variable
                               //from some remote file/program/class named "Server"
    string entry;

	cout << "\n Welcome ";
	cout << "\n Please enter your password \n";
cout<< "password:";
getline(cin, entry, '\n');
while(entry != password)
  {
   cout <<"Invalid password, \n Please re-enter your password. \n";
 getline(cin, entry, '\n');
  }

cout << "Verifying... Welcome \n";  //This would be pared with an if statement
                                // so as to either begin or exit a program

return 0;
}

I don't think I really phrased my questions effectively:

I want to make this program useful (if only for self-justification :-P). It seems to me, that a program designed to provide security is worthless if the password is clearly visible in the source code.

A) can I store the variable "password" in some other file?
-While searching this topic on the internet, the variable reference "extern" came up, but i have no idea how to use it--do I need the external file's pathway or anything?

B) I don't know much about encryption, but could I just encrypt the entire program (to be decrypted upon opening) ?
-If so, does this really provide security?


C) I know I need to learn more syntax in order to write real programs-- If what I have coded/suggested is completely illogical, should I just go back to the online tutorials and try to keep taking "hello world" baby-steps?

> A) can I store the variable "password" in some other file?
Of course - how do you think everyone else stores the password file?

You would store the encrypted password in the password file, then encrypt the user password inside your program, then compare the two.

> If so, does this really provide security?
It'll stop the kiddie with the hex viewer and no other clue, but if someone wants it badly enough and has the skills, it's no defence at all.

> should I just go back to the online tutorials and try to keep taking "hello world" baby-steps?
Well there's a whole chunk of C++ you've simply not touched on yet which would be worth learning about in "baby step" terms before you rush headlong into writing some kind of application.

the "extern" keyword declares a symbol to be external to the source file, and has nothing to do with what you are trying to do.

I don't know much about encryption, but could I just encrypt the entire program (to be decrypted upon opening) ?

It would be difficult if not impossible to do in pure C/C++, and is certainly not how people usually do it. Just encrypting the password file would be enough.

Here's a function to encrypt a string:

Code:

string xorString(const string in, const string key)
{
	string retString = in;

	size_t inLength = in.length() - 1;
	size_t keyLength = key.length()-1;

	//Loop through string and xor each charcter
	for(size_t i = 0, k = 0; i < inLength; i++){
		retString[i] = retString[i] ^ key[k];

		//Make sure the key index is in range
		k = k + 1 < keyLength ? k + 1 : 0;
	}//for

	return retString;
}

This will encrypt a string so that unless you have the key most people probably won't be able to crack it, of course there are some people who probably could. Just thought I'd share this.

There are a few other threads touching on this same subject, you may want to search the forum for "Password" and see if any of the other threads do tell you something useful - one of the things is to "hide" the password input when typing, for example [which will almost certainly be depending on your OS choice].

Encrypting your code will only prevent someone who hasn't got access to a debugger that can stop when your code is actually running - WinDBG, Visual Studio debugger, SoftICE or gdb can all do that sort of thing in different ways, whcih means that if the user has the executable file and a debugger, they can look at the the code as it runs.

I have heard of games that uses some sort of encryption to avoid copying/cheating, but it's realy not preventing someone who is determined to break in and using the right tools.

The protection against someone finding the password lies in using a "nonbreakable" password encryption, rather than using non-readable code. Non-readable code is just a small obstacle. Not being able to re-create the password itself from the encrypted data is definitely stopping the intruder.

--
Mats

Originally Posted by mikeman118

This will encrypt a string so that unless you have the key most people probably won't be able to crack it, of course there are some people who probably could. Just thought I'd share this.

Xor encryption prevents someone from reading the key as clear-text, but it's hardly "unbreakable". It is fairly easy to figure out what the key is once you know that it's Xor-encrypted, and if the key isn't changed for each user, once you have found the key, all passwords are now available.

md5 hash of the password is the method Linux/Unix uses, and it's fairly secure - you can still reverse-engineer passwords if they are "dictionary words", but each password has to be encrypted and compared with the encrypted version - there is no "common key", you have to produce a "password" and compare it with the data in the password file.

--
Mats

Thanks for all the input. Unfortunately I'm not going to have time to work on my app for a few days, but now I have some ideas to work with/on.

Yeah, so I'm basically obsessed with picking up C++ ... I put in about 8 hours of research/coding today, and I got the little beastie to work!

I learned a lot today (mostly about file I/O, program security, and general syntax), but I obviously have much more to learn.

Code:

#include <iostream>
#include <fstream>

// PASSWORD SIMULATION WITH "encryption" (lol)
//this is a simple program I am using mostly just to learn/practice C++
// someday I might actually use this to pass-protect stuff maybe? (idk)
// Version 1.1 completed on 10/31/07 (3rd day of C++ career) by PLR112387

using namespace std;



string establish()
{
ifstream remote_password;
string safepass = "";

remote_password.open("C:\\...\\encryptme.txt");
if (!remote_password)
   {
    cerr << "Unable to reach server ";  //unable to open data file
    exit(1);                            // call system to stop
   }

   while (remote_password >>safepass)
  {

  }
   remote_password.close();

return (safepass);
}

string decrypt()
{
string msg= establish();

string raw_pass;
const int shift = -13;      // "Cracker's Welcome Mat" --at least it's not plain-text.


  string::iterator i = msg.begin();
   string::iterator end = msg.end();

   while (i != end)
     *i++ += shift;

     raw_pass = msg;

return raw_pass;
}


int main()
{
    string entry;

	cout << "\n Welcome ";
	cout << "\n Please enter your password \n";
cout<< "password:";
getline(cin, entry, '\n');
while(entry != decrypt())
  {
   cout <<"Invalid password, \n Please re-enter your password. \n";
 getline(cin, entry, '\n');
  }

cout << "Verifying... Welcome \n";  //This would be pared with an if statement
                                // so as to begin a program if "positive" 
                                // or terminate for "false"

return 0;
}

I decided to go with a really basic "Caesar cipher" method of encryption (I know it's really really pathetic in terms of protection, but at least the password isn't in plain text anymore!)


I'm (obviously) really new to C++ programming and security issues; I don't really know much of anything about cracking techniques (other than the obvious 'brute-force' attack). As such, I don't know if I'm making the most of the security measures I have in place

I'm thinking about rewriting my "while entry!=password" loop to an "if (pass=entry) {go on} with a nested "for" loop within the else category-- I'm pretty sure this could at least slow down the brute-crack process (somehow set it ups so the user is automatically logged out after 'X' failed attempts).

:: Questions:: ::Questions:: ::Questions::

-Can the decrypted password variable (or, more specifically, it's string value) be intercepted by someone running the app?
-If so, are there any (preferably simple) ways to combat this?

-Other than the nested 'for' loop... Does anyone have any suggestions as to how I can make this program (or just my general programming skills) better?

-Can the decrypted password variable (or, more specifically, it's string value) be intercepted by someone running the app?

Yes.

-If so, are there any (preferably simple) ways to combat this?

No trivial measures can solve this. It is basicly a question of "if someone has sufficient access to the machine and/or software before you ask for the password, they will be able to break in". There are various ways you could try to make it harder, but there is really no easy way to prevent someone who is really determined to get into the system.

However, one thing you could do is to ENCRYPT the incoming password, rather than decrypt the "correct" password. That way, the correct password is never available as clear-text, which does help security somewhat.

-Other than the nested 'for' loop... Does anyone have any suggestions as to how I can make this program (or just my general programming skills) better?

Your indentation [use of spaces to indicate which code belongs in which loop/if-statement etc] is abysmal - this may be because you use a mix of spaces and tabs in your editor. Most editors have a setting to say "use spaces instead of tabs" - so if your code looks very different in your editor than on the forum page, you may want to check if there is a setting like that.

I don't think putting delay loops is the best idea. Use Sleep() or some similar funciton, it will have the same effect, but not use 100% of the CPU time for the duration of the delay - and the delay won't vary depending on the speed of the processor. What takes 1 second on a really old 486 processor probably takes a tenth of a second on a 2-year old processor, and less on the latest greatest processors.

--
Mats

However, one thing you could do is to ENCRYPT the incoming password, rather than decrypt the "correct" password. That way, the correct password is never available as clear-text, which does help security somewhat.

Wow, that seems obvious but it never occurred to me-- thanks Mats!

//Switching the cipher to code the entry would be a pretty quick fix, but just for the sake of
//learning (and for fun) I might try to use Xor encryption instead (I mean, I might as well put that nifty code snippet from mikeman to use) :-P


As for the Sleep() function: (what it does, how to implement it, etc.)

Google is my friend.

I'm not sure what the Sleep() function does, but to "set it up so the user is automatically logged out after X number of attempts" is easy without having to nest a for loop. Just use the for loop plainly, the code would be "for(x=1;x<=5;x++)". Then have the code to check if (entry!=decrypt) inside the for loop. This would give the user 5 tries to get the password correct before exiting the loop.

From MSDN:
The Sleep function suspends the execution of the current thread for at least the specified interval.
It takes only one argument - the number of milliseconds to sleep.

note that it is a Windows-specific function.

Confusingly, the Unix variant, sleep(unsigned int) (note the lowercase "s") takes the number of seconds to sleep for.