Page 1 of 1
Posted: Sat May 06, 2006 12:51 am
With wxConfigBase I can to save all configuration dat from my application but when these data is a password I unknow if this process is safe..
Exist anyone safe way for do it? or using wxConfigBase is safe?
(sorry my english)
Posted: Sat May 06, 2006 8:42 am
You can use MD5 hashing not to store the pwd, but the hash of it. When the user enters the pwd, you re-verify the hash code against the stored one, if they match, you pass. This way they cannot copy and paste it from the config. Another way is perform some kind of encrypting. There are opensource libs that can perform encrypting, but the MD5 hashing is the most used for passwords..
Posted: Sat May 06, 2006 7:02 pm
I mostly use blowfish for encrypting data.
Posted: Sun May 07, 2006 12:20 am
Yup. Blowfish is better than MD5 AFAIK.....
Posted: Sun May 07, 2006 2:26 am
Thank you for the important answers
but what is MD5 hash e pwd? an API or program?
Posted: Sun May 07, 2006 8:07 am
You can find more info here:
Posted: Mon May 08, 2006 3:32 am
Thank you for the attention Jorg
Posted: Mon May 08, 2006 7:03 am
Glad you are helped.
ps. For the wxAwards system to work, you are supposed to press assist or accept on the thread you find that answered your question the best
Posted: Tue May 16, 2006 4:37 pm
Really blowfish and md5 are two seperate techniques. Hashing is more commonly used for storing passwords and is the technique I use though you will want to consider both techniques.
Blowfish is a symmetric block cipher, other examples are Rijndael and Twofish and is reversible provided you use the same key. These ciphers are primarily used for storing information you want to decrypt in the future like files.
Block ciphers can work but the problem is the application has to be able to retrieve the encryption key, using the password as the encryption key could be one solution. If you follow Jorg's technique you don't ever have to decrypt the password. Some applications encrypt the password but then store the encryption key in a config file somewhere, making it trivial for an attacker to decrypt the passwords.
MD5 is a hash algorithm which in theory is one way, other examples of hashing algorithm are SHA-1 and SHA-256.
Hashing is a good way of storing a password because if the hash is exposed the password is still not compromised (most people use 1 or 2 passwords for everything).
Both MD5 and SHA-1 have been broken and should not be used look at SHA-256 instead.
Botan, Crypto++ and libmcrypt all implement SHA-256 and many other block cipher and hashing algorithms. Botan in particular has very good documentation and a tutorial for using the library.
The Botan tutorial also goes over using HMAC and helps avoid some common mistakes. I'm in the process of building an open source file encryption program using Botan and wxWidgets and have verified Botan compiles under MinGW on Windows. I also considered Cryptopp but lack of documentation and performance benchmarks led me to Botan.