PDA

View Full Version : username and password in script



sandyrepope
23-07-2007, 23:20
When a program requires the user to input a username and password, would it be acceptable to use the username as a folder name and store the encrypted password there?

My script will eventually have to handle multiple users and keep each user from accessing other user's data. I was thinking that the above approach could work well enough but I'd appreciate some input about it.

Thanks
Sandy

ErosOlmi
23-07-2007, 23:44
Sandy,

protecting data using directory is not so simple. If data is file based, the only way to protect on a local hard disk is to have multiple STANDARD users and one ADMINISTRATOR user giving rights to access or not specific directories to all other users using Win200 or WinXP integrated security. Win9x OSs have no any security on this.

Another approach can be to store user data in separated files and crypt every file using user name and password as secret key. But pay attention that if you loose a password you will not get back files data.

There are many other ways to do protection. It also depends on what you want to achieve.
Maybe some more details can help other people here to better understand and think to possible solutions.

Ciao
Eros

Michael Clease
24-07-2007, 00:23
depends how important the data is.

I would just take each byte of the data subtract 1 then xor with another known number then add 1 that would be enough to confuse most people why make it difficult for yourself.

the xor number could from the username just take each letters ascii value and xor with the next Letters value and now you have your key.

I tried that on a friend that said he could crack anything i could come up with, he spent about a day trying then gave up and i told him that the encrypted data with a text string something like "TRY AND CRACK ME".

ErosOlmi
24-07-2007, 00:26
Your friend is a real hacker ;)

Michael Clease
24-07-2007, 00:33
this was over 15 years ago using 68000 asm when we used to modify software to run without protection.

cracker not hacker.

sandyrepope
24-07-2007, 03:01
The thing is, I don't know anything about the data a user might type in. I don't know if anyone would put sensitive data in or not.

My program displays a month calendar and gives the user the option to type in notes for each day of any month and year. Then they can save the notes if they choose. I have used the crypto module to encrypt the files on the disk. The main problem is that I don't know if the program needs a username and password protection. Right now, to read the entered notes all anyone would have to do is run the program. I would try and post the script but it's a little large and I haven't commented the code yet. I'm sure there are things I should do with the script that I haven't thought of yet.

I've been thinking about putting the program out as freeware just as soon as I think it's ready.

Thanks
Sandy

RobertoBianchi
24-07-2007, 10:17
Hi Sandy,

store user name and password isn't the right way.
Instead put user name and password + some data as filler into a string, for example if sUser="RobertoBianchi", sPassword="Londinium" and sFiller="TimeTable12345" make sString = sUser + sFiller + sPassword and then make a MD5 hash on sString; finally use this hash to encrypt/decrypt the per user data.
Often is usefull put at the beginning of user data a signature therefore you can understand if the decrypted data are correct.
Of course to simplify the user data access (from program perspective) you can store encrypted data in a folder with the same name of the user.

Ciao,
Roberto

sandyrepope
24-07-2007, 15:52
Roberto, You have some very good ideas there. The part I am having a hard time understanding is about the hash. I've checked the help and it doesn't give enough information to be helpful.

It says that there are two different types of hash algorithms that we can use but it doesn't say what they are or how to choose which to use.

I would appreciate help with understanding the details of hash.

Thanks
Sandy

RobertoBianchi
24-07-2007, 16:59
Sandy,


A hash function H is a transformation that takes an input m and returns a fixed-size string, which is called the hash value h (that is, h = H(m)).
You can think a hash like a digital fingerprint.
There are a quite number of hash algorithms on the market as both of home made ones.
We have implemented the MD5 and SHA-1 plus the oldest cyclic redundancy checksum polynomial of 16/32-bit lengths (aka CRC16 and CRC32).
You can find details and code at http://www.pbcrypto.com/pbcrypto.php
Which algorithm to use? It depends, CRCs are lightweight but to simple and unsecure to meet basic requirements for a cryptographic hash. The SHA-1 algorithm is slightly slower than MD5 but the it's more secure against brute-force collision and inversion attacks respect than MD5.
Generally I prefer MD5, but the choice is up to you.

Cheers,
Roberto

ErosOlmi
24-07-2007, 17:57
Roberto, You have some very good ideas there. The part I am having a hard time understanding is about the hash. I've checked the help and it doesn't give enough information to be helpful.

It says that there are two different types of hash algorithms that we can use but it doesn't say what they are or how to choose which to use.

I would appreciate help with understanding the details of hash.

Thanks
Sandy


Sandy,

you are right. I will add more info.

In any case Type = 1 is FNV32. You can get more info here:
http://www.pbcrypto.com/view.php?algorithm=fnv32

Type = 2 is a self made algo.

Ciao
Eros

RobertoBianchi
25-07-2007, 08:57
Sandy,

Sorry, I misunderstand your post. If you was speaking about the core Hash() function please see the Eros's post but take note that FNV hash isn't a valid cryptographic hash because it doesn't meet basic requirements for a cryptographic hash.

Ciao,
Roberto

ErosOlmi
25-07-2007, 09:25
Yes, we are talking about different things using the same name.

thinBasic Hash function is used to return "index" giving a string. Those index can be than used in arrays or more complex data structures as reference for that string. See some info here: http://en.wikipedia.org/wiki/Hash_function

Roberto was talking about cryptographic hash that usually return complex strings giving as input the string buffer you want to crypt. More info: http://en.wikipedia.org/wiki/Cryptographic_hash_function

So, Sandy, if you want make cryptographic, do not use thinBasic Hash function.

Ciao
Eros