Page 1 of 1

Protecting passwords

Posted: Sat May 06, 2006 12:51 am
by selles
Hi peoples, :D

With wxConfigBase I can to save all configuration dat from my application but when these data is a password I unknow if this process is safe.. :?

Exist anyone safe way for do it? or using wxConfigBase is safe?

thank You.
(sorry my english)

Posted: Sat May 06, 2006 8:42 am
by Jorg
You can use MD5 hashing not to store the pwd, but the hash of it. When the user enters the pwd, you re-verify the hash code against the stored one, if they match, you pass. This way they cannot copy and paste it from the config. Another way is perform some kind of encrypting. There are opensource libs that can perform encrypting, but the MD5 hashing is the most used for passwords..

- Jorgen

Posted: Sat May 06, 2006 7:02 pm
by eranif
Hi,

I mostly use blowfish for encrypting data.

http://www.schneier.com/blowfish.html

Eran

Posted: Sun May 07, 2006 12:20 am
by sethjackson
Yup. Blowfish is better than MD5 AFAIK.....

Posted: Sun May 07, 2006 2:26 am
by selles
Thank you for the important answers :D

but what is MD5 hash e pwd? an API or program?

Posted: Sun May 07, 2006 8:07 am
by Jorg
You can find more info here:

http://www.codeproject.com/cpp/cmd5.asp

With regards,
- Jorgen

Posted: Mon May 08, 2006 3:32 am
by selles
Thank you for the attention Jorg :D

Posted: Mon May 08, 2006 7:03 am
by Jorg
Glad you are helped.

ps. For the wxAwards system to work, you are supposed to press assist or accept on the thread you find that answered your question the best ;-)

- Jorgen

Posted: Tue May 16, 2006 4:37 pm
by jsheets
Really blowfish and md5 are two seperate techniques. Hashing is more commonly used for storing passwords and is the technique I use though you will want to consider both techniques.

Blowfish is a symmetric block cipher, other examples are Rijndael and Twofish and is reversible provided you use the same key. These ciphers are primarily used for storing information you want to decrypt in the future like files.

Block ciphers can work but the problem is the application has to be able to retrieve the encryption key, using the password as the encryption key could be one solution. If you follow Jorg's technique you don't ever have to decrypt the password. Some applications encrypt the password but then store the encryption key in a config file somewhere, making it trivial for an attacker to decrypt the passwords.

MD5 is a hash algorithm which in theory is one way, other examples of hashing algorithm are SHA-1 and SHA-256.

Hashing is a good way of storing a password because if the hash is exposed the password is still not compromised (most people use 1 or 2 passwords for everything).

Both MD5 and SHA-1 have been broken and should not be used look at SHA-256 instead.

Botan, Crypto++ and libmcrypt all implement SHA-256 and many other block cipher and hashing algorithms. Botan in particular has very good documentation and a tutorial for using the library.

The Botan tutorial also goes over using HMAC and helps avoid some common mistakes. I'm in the process of building an open source file encryption program using Botan and wxWidgets and have verified Botan compiles under MinGW on Windows. I also considered Cryptopp but lack of documentation and performance benchmarks led me to Botan.