Hi peoples,
With wxConfigBase I can to save all configuration dat from my application but when these data is a password I unknow if this process is safe..
Exist anyone safe way for do it? or using wxConfigBase is safe?
thank You.
(sorry my english)
Protecting passwords Topic is solved
You can use MD5 hashing not to store the pwd, but the hash of it. When the user enters the pwd, you re-verify the hash code against the stored one, if they match, you pass. This way they cannot copy and paste it from the config. Another way is perform some kind of encrypting. There are opensource libs that can perform encrypting, but the MD5 hashing is the most used for passwords..
- Jorgen
- Jorgen
Forensic Software Engineer
Netherlands Forensic Insitute
http://english.forensischinstituut.nl/
-------------------------------------
Jorg's WasteBucket
http://www.xs4all.nl/~jorgb/wb
Netherlands Forensic Insitute
http://english.forensischinstituut.nl/
-------------------------------------
Jorg's WasteBucket
http://www.xs4all.nl/~jorgb/wb
-
- Super wx Problem Solver
- Posts: 396
- Joined: Wed Oct 05, 2005 1:19 am
Forensic Software Engineer
Netherlands Forensic Insitute
http://english.forensischinstituut.nl/
-------------------------------------
Jorg's WasteBucket
http://www.xs4all.nl/~jorgb/wb
Netherlands Forensic Insitute
http://english.forensischinstituut.nl/
-------------------------------------
Jorg's WasteBucket
http://www.xs4all.nl/~jorgb/wb
Glad you are helped.
ps. For the wxAwards system to work, you are supposed to press assist or accept on the thread you find that answered your question the best
- Jorgen
ps. For the wxAwards system to work, you are supposed to press assist or accept on the thread you find that answered your question the best
- Jorgen
Forensic Software Engineer
Netherlands Forensic Insitute
http://english.forensischinstituut.nl/
-------------------------------------
Jorg's WasteBucket
http://www.xs4all.nl/~jorgb/wb
Netherlands Forensic Insitute
http://english.forensischinstituut.nl/
-------------------------------------
Jorg's WasteBucket
http://www.xs4all.nl/~jorgb/wb
Really blowfish and md5 are two seperate techniques. Hashing is more commonly used for storing passwords and is the technique I use though you will want to consider both techniques.
Blowfish is a symmetric block cipher, other examples are Rijndael and Twofish and is reversible provided you use the same key. These ciphers are primarily used for storing information you want to decrypt in the future like files.
Block ciphers can work but the problem is the application has to be able to retrieve the encryption key, using the password as the encryption key could be one solution. If you follow Jorg's technique you don't ever have to decrypt the password. Some applications encrypt the password but then store the encryption key in a config file somewhere, making it trivial for an attacker to decrypt the passwords.
MD5 is a hash algorithm which in theory is one way, other examples of hashing algorithm are SHA-1 and SHA-256.
Hashing is a good way of storing a password because if the hash is exposed the password is still not compromised (most people use 1 or 2 passwords for everything).
Both MD5 and SHA-1 have been broken and should not be used look at SHA-256 instead.
Botan, Crypto++ and libmcrypt all implement SHA-256 and many other block cipher and hashing algorithms. Botan in particular has very good documentation and a tutorial for using the library.
The Botan tutorial also goes over using HMAC and helps avoid some common mistakes. I'm in the process of building an open source file encryption program using Botan and wxWidgets and have verified Botan compiles under MinGW on Windows. I also considered Cryptopp but lack of documentation and performance benchmarks led me to Botan.
Blowfish is a symmetric block cipher, other examples are Rijndael and Twofish and is reversible provided you use the same key. These ciphers are primarily used for storing information you want to decrypt in the future like files.
Block ciphers can work but the problem is the application has to be able to retrieve the encryption key, using the password as the encryption key could be one solution. If you follow Jorg's technique you don't ever have to decrypt the password. Some applications encrypt the password but then store the encryption key in a config file somewhere, making it trivial for an attacker to decrypt the passwords.
MD5 is a hash algorithm which in theory is one way, other examples of hashing algorithm are SHA-1 and SHA-256.
Hashing is a good way of storing a password because if the hash is exposed the password is still not compromised (most people use 1 or 2 passwords for everything).
Both MD5 and SHA-1 have been broken and should not be used look at SHA-256 instead.
Botan, Crypto++ and libmcrypt all implement SHA-256 and many other block cipher and hashing algorithms. Botan in particular has very good documentation and a tutorial for using the library.
The Botan tutorial also goes over using HMAC and helps avoid some common mistakes. I'm in the process of building an open source file encryption program using Botan and wxWidgets and have verified Botan compiles under MinGW on Windows. I also considered Cryptopp but lack of documentation and performance benchmarks led me to Botan.