Recent

Author Topic: Encrypted passowrds  (Read 2914 times)

daveinhull

  • Full Member
  • ***
  • Posts: 249
  • 1 divided by nothing must still be 1!
Encrypted passowrds
« on: January 08, 2019, 02:08:31 pm »
Hi, before I go too far searching (already done some), I thought I just ask anyone for their thoughts.

My program (as I've been previously discussing) needs to send emails and as such I need to use a password.

My (quick) question is how and where should I store these passwords?

Obviously they need to be encrypted so what is the easiest means to do this, is there a module?

I was also thinking of storing them in the Registry as 1) it would help me learn about accessing the Registry for other things and 2) seems like a good place to store stuff that is needed on a regular basis? I wasn't keen on the idea of an .ini file, but not averse to it.

Thanks
Dave
Version #:1.8.4 Date 2019-01-08 FPC Version: 3.0.4 and SVN Revision 57972 for x86_64-win64-win32/win64

HeavyUser

  • Sr. Member
  • ****
  • Posts: 262
Re: Encrypted passowrds
« Reply #1 on: January 08, 2019, 02:25:51 pm »
Hi, before I go too far searching (already done some), I thought I just ask anyone for their thoughts.

My program (as I've been previously discussing) needs to send emails and as such I need to use a password.

My (quick) question is how and where should I store these passwords?

Obviously they need to be encrypted so what is the easiest means to do this, is there a module?

I was also thinking of storing them in the Registry as 1) it would help me learn about accessing the Registry for other things and 2) seems like a good place to store stuff that is needed on a regular basis? I wasn't keen on the idea of an .ini file, but not averse to it.

Thanks
Dave
On windows use the credentials manager (ee CredWriteW/CredReadW) https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/authentication-functions#credentials_management_functions on linux I guess gnome Keyring is one of the libraries on macos I have no idea.

Pascal

  • Hero Member
  • *****
  • Posts: 823
Re: Encrypted passowrds
« Reply #2 on: January 08, 2019, 03:52:47 pm »
You can also encode/decode the password yourself:
Code: Pascal  [Select]
  1. uses ..., BlowFish;
  2. ...
  3. function Encode(pValue: String): String;
  4. var
  5.   s: TStringStream;
  6.   e: TBlowFishEncryptStream;
  7.   tmp: String;
  8.   h, l: Byte;
  9.   i: Integer;
  10. begin
  11.   s := TStringStream.Create('');
  12.   e := TBlowFishEncryptStream.Create(GetPasswordHash, s);
  13.   try
  14.     e.WriteAnsiString(pValue);
  15.     tmp := s.DataString;
  16.     Result := '';
  17.     for i := 1 to length(tmp) do begin
  18.       h := Byte(tmp[i]) shr 4;
  19.       l := Byte(tmp[i]) and $0F;
  20.       case h of
  21.         0..9: Result := Result + char(48 + h);
  22.         10..15: Result := Result + char(55 + h);
  23.       end;
  24.       case l of
  25.         0..9: Result := Result + char(48 + l);
  26.         10..15: Result := Result + char(55 + l);
  27.       end;
  28.     end;
  29.   finally
  30.     e.Free;
  31.     s.Free
  32.   end;
  33. end;
  34.  
  35. function Decode(pValue: String): String;
  36. var
  37.   tmp: string;
  38.   s: TStringStream;
  39.   d: TBlowFishDeCryptStream;
  40.   z, h, l: Byte;
  41.   i: Integer;
  42. begin
  43.   Result := '';
  44.   try
  45.     if pValue = '' then
  46.       exit;
  47.     tmp := '';
  48.     i := 1;
  49.     while i < length(pValue) do begin
  50.       z := 0;
  51.       h := Byte(pValue[i]);
  52.       case h of
  53.         65..70: z := h - 55;
  54.         48..57: z := h - 48;
  55.       end;
  56.       z := z shl 4;
  57.       l := Byte(pValue[i+1]);
  58.       case l of
  59.         65..70: z := z + l - 55;
  60.         48..57: z := z + l - 48;
  61.       end;
  62.       tmp := tmp + char(z);
  63.       inc(i, 2);
  64.     end;
  65.     s := TStringStream.Create(tmp);
  66.     d := TBlowFishDeCryptStream.Create(GetPasswordHash, s);
  67.     try
  68.       Result := d.ReadAnsiString;
  69.     finally
  70.       d.Free;
  71.       s.Free;
  72.     end;
  73.   except
  74.     on E: Exception do begin
  75.       Result := '';
  76.       ShowMessage(Format('Fehler in Decode("%s"):'#10'%s',[pValue, E.Message]));
  77.     end;
  78.   end;
  79. end;
  80.  
laz trunk - fpc trunk 32bit - Windows 10 Pro x64 (1803)

daveinhull

  • Full Member
  • ***
  • Posts: 249
  • 1 divided by nothing must still be 1!
Re: Encrypted passowrds
« Reply #3 on: January 08, 2019, 04:09:31 pm »
Thanks guys, great start  :D
Version #:1.8.4 Date 2019-01-08 FPC Version: 3.0.4 and SVN Revision 57972 for x86_64-win64-win32/win64

minesadorada

  • Hero Member
  • *****
  • Posts: 579
  • Retired
Re: Encrypted passowrds
« Reply #4 on: January 08, 2019, 08:32:45 pm »
You could use the cryptini component (from OPM) to read/write them from an INI file.
GPL Apps: Health MonitorRetro Ski Run
OnlinePackageManager Components: LazAutoUpdate, LongTimer, PoweredBy, ScrollText, PlaySound, CryptINI

Leledumbo

  • Hero Member
  • *****
  • Posts: 8074
  • Programming + Glam Metal + Tae Kwon Do = Me
Re: Encrypted passowrds
« Reply #5 on: January 12, 2019, 07:56:48 pm »
My (quick) question is how and where should I store these passwords?

Obviously they need to be encrypted so what is the easiest means to do this, is there a module?
Encrypting a password is a bad idea, the correct method is to hash it so that it can't be recovered, only matched.

lucamar

  • Hero Member
  • *****
  • Posts: 1555
Re: Encrypted passowrds
« Reply #6 on: January 12, 2019, 09:01:58 pm »
My (quick) question is how and where should I store these passwords?

Obviously they need to be encrypted so what is the easiest means to do this, is there a module?
Encrypting a password is a bad idea, the correct method is to hash it so that it can't be recovered, only matched.

Hashing won't do: They're used to access other service so he needs to be able to recover them -

My program (as I've been previously discussing) needs to send emails and as such I need to use a password.

My (quick) question is how and where should I store these passwords?
Turbo Pascal 3 CP/M - Amstrad PCW 8256 (512 KB !!!) :P
Lazarus 1.8.4 & 2.0.2 w/FPC 3.0.4 on:
(K|L)Ubuntu 12..16, Windows XP SP3, various DOSes.

Ñuño_Martínez

  • Hero Member
  • *****
  • Posts: 907
    • Burdjia
Re: Encrypted passowrds
« Reply #7 on: January 14, 2019, 01:36:51 pm »
My (quick) question is how and where should I store these passwords?

Obviously they need to be encrypted so what is the easiest means to do this, is there a module?
Encrypting a password is a bad idea, the correct method is to hash it so that it can't be recovered, only matched.

Hashing won't do: They're used to access other service so he needs to be able to recover them -
But you don't need to recover.  Just store the hash and to check you do: "IF GetHash (Password) = HashedPassword THEN".
Are you interested in game programming? Join the Pascal Game Development community!
Also visit the Game Development Portal

lucamar

  • Hero Member
  • *****
  • Posts: 1555
Re: Encrypted passowrds
« Reply #8 on: January 14, 2019, 02:58:06 pm »
But you don't need to recover.  Just store the hash and to check you do: "IF GetHash (Password) = HashedPassword THEN".

No. Read the OPs post. He isn't asking the user for a password, he's trying to store passwords the program can use to access other service and he wants to store them securely.

My program (as I've been previously discussing) needs to send emails and as such I need to use a password.

My (quick) question is how and where should I store these passwords?

Obviously they need to be encrypted so what is the easiest means to do this, is there a module?
Turbo Pascal 3 CP/M - Amstrad PCW 8256 (512 KB !!!) :P
Lazarus 1.8.4 & 2.0.2 w/FPC 3.0.4 on:
(K|L)Ubuntu 12..16, Windows XP SP3, various DOSes.

Bart

  • Hero Member
  • *****
  • Posts: 3436
    • Bart en Mariska's Webstek
Re: Encrypted passowrds
« Reply #9 on: January 14, 2019, 10:23:32 pm »
No. Read the OPs post. He isn't asking the user for a password, he's trying to store passwords the program can use to access other service and he wants to store them securely.

There is no secure way to store password in that context.
If you can decrypt it, then some hacker will also.

Bart

lucamar

  • Hero Member
  • *****
  • Posts: 1555
Re: Encrypted passowrds
« Reply #10 on: January 14, 2019, 10:43:40 pm »
There is no secure way to store password in that context.
If you can decrypt it, then some hacker will also.

Bart

Of course; it's an arms' race between strong encryption implementors and crackers (not hackers, please). The question is: is it possible to encrypt a passwords vault so that in won't be easily breached today or tomorrow or in the next six months? And the answer is ... yes, probably. It won't deter everyone but it will most. One can't ask for more (even if you work for the CIA :))

Do note that that hashing you're all recomending is also crakable and new hash algorithms are being created to try to avoid that ... with the same results: SHA1 anyone? MD5?
Turbo Pascal 3 CP/M - Amstrad PCW 8256 (512 KB !!!) :P
Lazarus 1.8.4 & 2.0.2 w/FPC 3.0.4 on:
(K|L)Ubuntu 12..16, Windows XP SP3, various DOSes.

garlar27

  • Hero Member
  • *****
  • Posts: 594
Re: Encrypted passowrds
« Reply #11 on: January 15, 2019, 12:03:21 am »
On PCI standard you might find some advise.

Ñuño_Martínez

  • Hero Member
  • *****
  • Posts: 907
    • Burdjia
Re: Encrypted passowrds
« Reply #12 on: January 15, 2019, 07:45:38 pm »
No. Read the OPs post. He isn't asking the user for a password, he's trying to store passwords the program can use to access other service and he wants to store them securely.
Oh, I missunderstood.

(...) crackers (not hackers, please). (...)
Yes.  I'm hacker, not cracker. 8)
Are you interested in game programming? Join the Pascal Game Development community!
Also visit the Game Development Portal