[SOLVED] Storing and encrypting/decrypting passwords

[madref]

Maybe a simple question or a difficult one...


But does Lazarus have a way of encrypt/decrypt passwords or do i have to write it myself?

[balazsszekely]

But does Lazarus have a way of encrypt/decrypt passwords or do i have to write it myself?

You have to write it yourself. 
http://wiki.freepascal.org/DCPcrypt
Use a hash for passwords.

[JD]

FreePascal has units like BlowFish & MD5sum so you will be able to use them to encrypt passwords.

JD

[serbod]

MD5 is extremelly weak, use SHA-1 instead.

[madref]

I am using the suggested module/unit/package.


I am using the following code to encrypt my password

Code: Pascal  [Select][+][-]

1.  
2. procedure TForm_Options.Button1Click(Sender: TObject);
3. var
4.   Texto: String;
5.   Output: array [1..20] of byte;
6.   i: integer;
7. begin
8.   Hash:= TDCP_sha1.Create(nil);
9.   Hash.Init;
10.   Hash.UpdateStr('1234567890');
11.  
12.  
13.   Hash.Final(Output);
14.   Hash.Free;
15.  
16.  
17.   texto:='';
18.   for i:=1 to 20 do
19.   texto:=texto+inttohex(Output[i],1);
20.   showmessage(texto);
21. end;     // Button1Click    

But how can i decrypt my password?

[balazsszekely]

@madref
But how can i decrypt my password?

You can't! Please read more about hashing.
When a user enter a password, just hash it and compare with the saved values.

[Leledumbo]

But how can i decrypt my password?

You don't. Hash is one way, once hashed, you can't retrieve the original value back as hash allows collision (distinct values might hash to the same hashed value). What you do to login is to hash the entered password in the same way as you hash the correct password and compare the hashed value.

[madref]

But how can i then encrypt en decrypt a string?


I want to use this to store my password and then retrieve it for use.

[Leledumbo]

Oh man...why todays programmers are so stubborn...? Fine, if you want encryption for password, go for it:
http://wiki.lazarus.freepascal.org/DCPcrypt
use the (block) ciphers, not the hashes. But don't say that we didn't warn you if someone can still find out the password and steal your money.

[JD]

But how can i then encrypt en decrypt a string?

I want to use this to store my password and then retrieve it for use.

As GetMem & Leledumbo said earlier, you don't need to retrieve or decrypt the encrypted password. The sequence is as follows:

FIRST LOGIN
a) user enters password
b) encrypt the password
c) save the encrypted password

SUBSEQUENT LOGINS
a) user enters password
b) encrypt the password
c) compare the encrypted value to the value saved to file earlier in (c) above
d) if they are equal, allow access; if not tell the user his/her password does not match what is on file

JD

[engkin]

@madref

You might benefit from learning to add salt to passwords before you hash them. Read this thread.

[JD]

@madref

I often recommend this article when I'm asked about passwords. Interesting reading if I may say so

You're Probably Storing Passwords Incorrectly
http://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/

JD

[madref]

Thats one thing i understand. It's logical.


But i want to store my password for the mailserver i use in a file so that i can access it.
So i have to be able to encrypt and decrypt it.

[Thaddy]

MD5 is extremelly weak, use SHA-1 instead.

SHA-1 is extremely weak (not as weak as MD5) so use at a minimum SHA256.

And for the OP: plz don't be silly, don't store passwords for a mail server, only hashes. Anything else smells....
Usually your problem with decrypting (which is a no, no ,no) is solved by an out-of band solution that you know but is not in anyway connected to the password or file(s) you control. Like with SMS or (worse but still plausible) a question about your favorite dinner ever or something like that.
Don't ever store passwords from somebody else. it is a stupid idea.

[madref]

Why the hell do you think i want to hash them !!!
And i am experimenting with it to get a better knowledge of it.