Protecting passwords Topic is solved

This forum can be used to talk about general design strategies, new ideas and questions in general related to wxWidgets. If you feel your questions doesn't fit anywhere, put it here.
Post Reply
selles
Earned a small fee
Earned a small fee
Posts: 21
Joined: Thu Dec 29, 2005 3:20 am

Protecting passwords

Post by selles » Sat May 06, 2006 12:51 am

Hi peoples, :D

With wxConfigBase I can to save all configuration dat from my application but when these data is a password I unknow if this process is safe.. :?

Exist anyone safe way for do it? or using wxConfigBase is safe?

thank You.
(sorry my english)

Jorg
Moderator
Moderator
Posts: 3971
Joined: Fri Aug 27, 2004 9:38 pm
Location: Delft, Netherlands
Contact:

Post by Jorg » Sat May 06, 2006 8:42 am

You can use MD5 hashing not to store the pwd, but the hash of it. When the user enters the pwd, you re-verify the hash code against the stored one, if they match, you pass. This way they cannot copy and paste it from the config. Another way is perform some kind of encrypting. There are opensource libs that can perform encrypting, but the MD5 hashing is the most used for passwords..

- Jorgen
Forensic Software Engineer
Netherlands Forensic Insitute
http://english.forensischinstituut.nl/
-------------------------------------
Jorg's WasteBucket
http://www.xs4all.nl/~jorgb/wb

eranif
Moderator
Moderator
Posts: 606
Joined: Tue Nov 29, 2005 7:10 pm
Location: Israel

Post by eranif » Sat May 06, 2006 7:02 pm

Hi,

I mostly use blowfish for encrypting data.

http://www.schneier.com/blowfish.html

Eran
IDE: CodeLite + wxCrafter
OS: All
https://wxcrafter.codelite.org
https://codelite.org

sethjackson
Super wx Problem Solver
Super wx Problem Solver
Posts: 396
Joined: Wed Oct 05, 2005 1:19 am

Post by sethjackson » Sun May 07, 2006 12:20 am

Yup. Blowfish is better than MD5 AFAIK.....

selles
Earned a small fee
Earned a small fee
Posts: 21
Joined: Thu Dec 29, 2005 3:20 am

Post by selles » Sun May 07, 2006 2:26 am

Thank you for the important answers :D

but what is MD5 hash e pwd? an API or program?

Jorg
Moderator
Moderator
Posts: 3971
Joined: Fri Aug 27, 2004 9:38 pm
Location: Delft, Netherlands
Contact:

Post by Jorg » Sun May 07, 2006 8:07 am

You can find more info here:

http://www.codeproject.com/cpp/cmd5.asp

With regards,
- Jorgen
Forensic Software Engineer
Netherlands Forensic Insitute
http://english.forensischinstituut.nl/
-------------------------------------
Jorg's WasteBucket
http://www.xs4all.nl/~jorgb/wb

selles
Earned a small fee
Earned a small fee
Posts: 21
Joined: Thu Dec 29, 2005 3:20 am

Post by selles » Mon May 08, 2006 3:32 am

Thank you for the attention Jorg :D

Jorg
Moderator
Moderator
Posts: 3971
Joined: Fri Aug 27, 2004 9:38 pm
Location: Delft, Netherlands
Contact:

Post by Jorg » Mon May 08, 2006 7:03 am

Glad you are helped.

ps. For the wxAwards system to work, you are supposed to press assist or accept on the thread you find that answered your question the best ;-)

- Jorgen
Forensic Software Engineer
Netherlands Forensic Insitute
http://english.forensischinstituut.nl/
-------------------------------------
Jorg's WasteBucket
http://www.xs4all.nl/~jorgb/wb

jsheets
Earned a small fee
Earned a small fee
Posts: 22
Joined: Wed Oct 19, 2005 1:21 pm

Post by jsheets » Tue May 16, 2006 4:37 pm

Really blowfish and md5 are two seperate techniques. Hashing is more commonly used for storing passwords and is the technique I use though you will want to consider both techniques.

Blowfish is a symmetric block cipher, other examples are Rijndael and Twofish and is reversible provided you use the same key. These ciphers are primarily used for storing information you want to decrypt in the future like files.

Block ciphers can work but the problem is the application has to be able to retrieve the encryption key, using the password as the encryption key could be one solution. If you follow Jorg's technique you don't ever have to decrypt the password. Some applications encrypt the password but then store the encryption key in a config file somewhere, making it trivial for an attacker to decrypt the passwords.

MD5 is a hash algorithm which in theory is one way, other examples of hashing algorithm are SHA-1 and SHA-256.

Hashing is a good way of storing a password because if the hash is exposed the password is still not compromised (most people use 1 or 2 passwords for everything).

Both MD5 and SHA-1 have been broken and should not be used look at SHA-256 instead.

Botan, Crypto++ and libmcrypt all implement SHA-256 and many other block cipher and hashing algorithms. Botan in particular has very good documentation and a tutorial for using the library.

The Botan tutorial also goes over using HMAC and helps avoid some common mistakes. I'm in the process of building an open source file encryption program using Botan and wxWidgets and have verified Botan compiles under MinGW on Windows. I also considered Cryptopp but lack of documentation and performance benchmarks led me to Botan.

Post Reply