Thread: Storing Passwords/Encryption

  1. #1
    Registered User Tonto's Avatar
    Join Date
    Jun 2005
    Location
    New York
    Posts
    1,465

    Storing Passwords/Encryption

    I was making a program that stores login information from a user, just so that they don't have to enter it every time. I was just wondering what sort of security measures I should take in storing the information in a file?

    I know there's lots of ways to do things but I just don't think I can store the hashes only, and I was wondering what kinds of encryption might be good to use for this application

  2. #2
    Guest Sebastiani's Avatar
    Join Date
    Aug 2001
    Location
    Waterloo, Texas
    Posts
    5,708
    >> I know there's lots of ways to do things but I just don't think I can store the hashes only

    Why would you think that?

    >> what kinds of encryption might be good to use for this application

    Currently, I think the SHA-2 and variants are recommended over MD5 and SHA-1, as there have been weaknesses found in the latter ones.

    Besides this though, you should also consider that an attacker may be able to override the security by altering the executable on disk or the program in memory. These are much less likely risks, but nonetheless quite real.
    Code:
    #include <cmath>
    #include <complex>
    bool euler_flip(bool value)
    {
        return std::pow
        (
            std::complex<float>(std::exp(1.0)), 
            std::complex<float>(0, 1) 
            * std::complex<float>(std::atan(1.0)
            *(1 << (value + 2)))
        ).real() < 0;
    }

  3. #3
    Registered User
    Join Date
    Oct 2008
    Posts
    1,262
    I think he means he's going to store other sites (or similar) login information. Which means he also has to decrypt the password again.
    Look into openssl. It has the capability of a private key file with a password protection. But still, if someone would be able to hack the computer, he could simply detect your keystrokes to find the password. So it provides only backwards security, not forwards. That is, if it's hacked, nothing is compromised directly, only in the future.

  4. #4
    3735928559
    Join Date
    Mar 2008
    Location
    RTP
    Posts
    838
    edit: correction. the one i was thinking of is this one

    http://hoozi.com/Downloads/AES_Encrypt.rar
    Last edited by m37h0d; 06-29-2009 at 08:02 AM.

  5. #5
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    The key to ANY security situation is the balance of threat vs. extra complexity. If your most valuable item is a half-read softback book, you may not need the Fort Knox security, right?

    Who are you hiding the password from? Some spy organization (CIA, FBI, KGB etc) or someone in your family (assuming they are NOT CIA/FBI/KGB)?

    So you are storing passwords for what? And on what machine? Who has access to that machine? What is the "threat" and what may be the "loss". If you are keeping passwords to open Fort Knox you need more protection than if you are keeping the passwords of a user to Cprogramming.com.

    In the latter case, you may find that it's sufficient to encrypt using a xor-encryption (perhaps using some clever tricks to get the initial key). Obviously, that would not be enough in the former case!

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

  6. #6
    Registered User linuxdude's Avatar
    Join Date
    Mar 2003
    Location
    Louisiana
    Posts
    926
    You should look into salts if you want a secure password store. Linux stores (encrypted) user passwords in a file /etc/shadow. However, it is secure because it is only readable by root and even if your root account is compromised, the encrypted password suffixed with a salt. This way even two identical passwords are different + there is an added protection against dictionary attacks.

  7. #7
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Quote Originally Posted by linuxdude View Post
    You should look into salts if you want a secure password store. Linux stores (encrypted) user passwords in a file /etc/shadow. However, it is secure because it is only readable by root and even if your root account is compromised, the encrypted password suffixed with a salt. This way even two identical passwords are different + there is an added protection against dictionary attacks.
    It is also one-way encrypted, which if you want to send the password matching an account at cprogramming.com's forum, won't work. It is POSSIBLE to crack the passwords in Unix systems by trying passwords and knowing the salt - but it is not possible to get the original password back if you haven't got a "guess" to encrypt and then check if the "guess" matches the encrypted value.

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

  8. #8
    Registered User
    Join Date
    Jan 2009
    Posts
    31
    Quote Originally Posted by Tonto View Post
    I was making a program that stores login information from a user, just so that they don't have to enter it every time. I was just wondering what sort of security measures I should take in storing the information in a file?

    I know there's lots of ways to do things but I just don't think I can store the hashes only, and I was wondering what kinds of encryption might be good to use for this application
    If this is for logging onto services that you do not control (meaning, you need compatibility with existing systems), the only way to store the information in a somewhat secure fashion is to use a master key (a decryption key, usually provided by the user, that decrypts all of the secured information in a password database). The disadvantage is that the user is required to remember at least one password, though the user should only have to type in the password once per session. Depending on the situation, care may need to be taken as to how this information is stored in memory, as a program that can read the process's memory could compromise this information.

    The more information that you store about an account, the more likely that information could be compromised. Security is usually inversely proportional to convenience.

  9. #9
    (?<!re)tired Mario F.'s Avatar
    Join Date
    May 2006
    Location
    Ireland
    Posts
    8,446
    It's my guess any method you choose Tonto, will always be hackable if you allow the encryption/decryption process to occur in the application. It would be useful to know how you plan to store the login information.

    Assuming you plan to store it on a database in a three-tier environment, you should rely on the database own encryption methods. This provides you with a reliable secure system, since it takes the whole process away from the application user. They would need to hack into the database, not the application. And the database, again assuming a multi-tier structure to your application, would not be accessible by the user.

    To illustrate... assuming MySQL, you could use the SQL functions AES_ENCRYPT and AES_DECRYPT with the key stored on the database also. These functions would reside inside stored procedures. The application would only pass the password entered by the user and the stored procedure would get they key from the database itself and validate the password. It would only return success or failure.
    Originally Posted by brewbuck:
    Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Storing labels in a list?
    By arcaine01 in forum C# Programming
    Replies: 2
    Last Post: 05-10-2008, 11:10 PM
  2. C, big numbers and storing them
    By Wiretron in forum C Programming
    Replies: 18
    Last Post: 12-22-2007, 08:29 AM
  3. Help with storing letters in varibles
    By cgsarebeast in forum C++ Programming
    Replies: 9
    Last Post: 05-09-2006, 06:03 PM
  4. Variable Storing in memory
    By karb0noxyde in forum C++ Programming
    Replies: 7
    Last Post: 10-11-2004, 07:31 PM
  5. Trouble storing file input in array
    By difficult.name in forum C Programming
    Replies: 1
    Last Post: 10-10-2004, 11:54 PM