Recent

Author Topic: The most easy encrypting/decrypting password method?  (Read 11424 times)

Conte

  • New Member
  • *
  • Posts: 27
Re: The most easy encrypting/decrypting password method?
« Reply #30 on: September 29, 2021, 08:27:38 pm »
Just wanted to add this great article about PW hashing.

https://medium.com/@marcusfernstrm/hash-it-like-you-mean-it-proper-password-hashing-in-freepascal-55c85bad4a96
It's still difficult to apply encryption/decryption for auto login for me. :(

Thaddy

  • Hero Member
  • *****
  • Posts: 10991
Re: The most easy encrypting/decrypting password method?
« Reply #31 on: September 29, 2021, 09:03:17 pm »
Well, we explained it to you in very simple terms and some - like me - somewhat more difficult. I will see what I can do in the weekend.
The average programmer productivity is 4-5 hours per day. Peak performance 72 hours for short bursts. MTBF is 1 second or less.

Conte

  • New Member
  • *
  • Posts: 27
Re: The most easy encrypting/decrypting password method?
« Reply #32 on: September 29, 2021, 09:36:13 pm »
Also, that article explain how to generate a good hash. That's also too strong for what I need because for me sha256 security is enough. The problem is to get the decrypt to create an autologin. For sha256 it cannot exist without a private key that can be easily found.
Should be enough a simple encryption way that cannot be decoded online or with tools like notepad++ (base64).

@Thaddy thanks.

Just studying this to understand if it is what I'm looking for: https://stackoverflow.com/a/13146105/3147886
« Last Edit: September 29, 2021, 10:33:55 pm by Conte »

MarkMLl

  • Hero Member
  • *****
  • Posts: 3535
Re: The most easy encrypting/decrypting password method?
« Reply #33 on: September 29, 2021, 10:09:57 pm »
Just studying this to understand if what's I'm looking for: https://stackoverflow.com/a/13146105/3147886

No, you need an introductory text on basic cryptography.

MarkMLl
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

Conte

  • New Member
  • *
  • Posts: 27
Re: The most easy encrypting/decrypting password method?
« Reply #34 on: September 30, 2021, 10:34:59 pm »
I'm blocked with the auto-login. I was able to encrypt a string but didn't realized it cannot be decrypted.
So problem changed: I need a safe way to store the password without success.
I found some tips about windows credential manager and the usage with delphi but I'm only getting errors.

devEric69

  • Hero Member
  • *****
  • Posts: 644
Re: The most easy encrypting/decrypting password method?
« Reply #35 on: September 30, 2021, 10:41:25 pm »
So problem changed: I need a safe way to store the password, without success.

You should take a look at OnGuard (when we know nothing about cryptology, like me, except XOR, it's the easiest O:-) ).
« Last Edit: September 30, 2021, 10:49:39 pm by devEric69 »
use: Linux 64 bits (Ubuntu 20.04 LTS).
Lazarus version: 2.0.4 (svn revision: 62502M) compiled with fpc 3.0.4 - fpDebug \ Dwarf3.

dbannon

  • Hero Member
  • *****
  • Posts: 1679
    • tomboy-ng, a rewrite of the classic Tomboy
Re: The most easy encrypting/decrypting password method?
« Reply #36 on: October 01, 2021, 01:38:25 am »
So problem changed: I need a safe way to store the password without success.

Look Conte, you are thinking of this as a technical problem, its not, its a social one.  What you mean by 'safe' depends entirely on context.  If you live in a house 100 km from anyone else, never have visitors and never connect to the internet, a Post It Note stuck on the side of your screen is quite safe.

If you share a house with a comsci student, a gamer and a person who loves practical jokes, its a very different situation. You need to do a careful risk assessment and balance that off against the level of convenience you believe you must have.

* The Post It Note ?  Someone might see it and guess its a password ...
* A plain text file with all your passwords ?  What if you leave your laptop on a train ....
* Use GemMem's really good code snip it and encrypt your passwords using a key hard wired in your code ? Someone (who finds your laptop on the train) might look through your code, see what the password is and decrypt your password file.  Or they may use your application to connect, with your passwords the the sites you use it with.
* Same as above but you use one password, that you can remember to unlock your app. Now, as long as you don't leave the app running when you leave the laptop on the train ...

Then look at the impact of the risks.

* Well, one of the passwords gets me into Dad's company's bank account, hmm...
....
* One of the passwords is for the Lazarus forum, I don't use that much. But that practical joker ...

Then, look at the convenience issue.
* The Post It note is always there when I need it.
* If I forget the one password I need to unlock the application, I loose all my passwords .....

I personally use KeepPassX, my wife uses her own version, its relatively easy, I copy and paste the password I need. But I do have to remember its unlock password and I have to remember to put EVERY password I create in there.

There, I have answered your question without a single line of code !

Davo
Lazarus 2, Linux (and reluctantly Win10, OSX)
My Project - https://github.com/tomboy-notes/tomboy-ng

MarkMLl

  • Hero Member
  • *****
  • Posts: 3535
Re: The most easy encrypting/decrypting password method?
« Reply #37 on: October 01, 2021, 08:41:30 am »
I'm blocked with the auto-login. I was able to encrypt a string but didn't realized it cannot be decrypted.

In that case you didn't encrypt it, you hashed it. Go back and read what everybody has been trying to tell you.

Apart from that I echo the good advice that Davo's given you, but would add that software is readily available which can (a) find less-than-random data in a binary file and highlight it as text or trivially-obfuscated text (b) find fully-random data in a binary file and highlight it as a possible encryption key. There's ways round that, but if you intend to roll your own then you urgently need to learn about the underlying techniques for both defence and attack.

MarkMLl
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

devEric69

  • Hero Member
  • *****
  • Posts: 644
Re: The most easy encrypting/decrypting password method?
« Reply #38 on: October 01, 2021, 09:03:24 am »
@Conte, AMHO, practically speaking, you sould need:
- an encryption-decryption algorithm - said, named Crypto_x - and stored in your program;
- an overall administration key-phrase for (administration role to manage each program's key-phrase, server side) your encrypting program, which must be known only to you, never encrypted;
- a key-phrase only for your program (program specific, used for all program's clients) must itself be encrypted and stored inside your programm (by your overall administration keyphrase), stored encrypted or not on the serveur side;
So, already said, but never ever reveal your overall and your program encryption keys to your client's side, of course. @dbannon, btw, I also use KeepPassX in order to store the key-phrases.
- your client's side information (password, or license number, ...). I don't know what you want to use as protection, verification, ... But this information must - too - be already encrypted and stored (specific for each client of the same program) in the program.

➔ If you have injected inside your software, in hexadecimal: the encrypted keyphrase (of your program) + the information of your client (what is called a composite license, said) + the algo. named Crypto_x, 
then you can decrypt the already crypted information in your program. You can already display this roughly when you start your program: "licence: decrypted num#' and\or 'client name: decrypted client name'. This is already disusasive.

It's also possible to imagine making a "match" request on the internet, if this information exists in a database on the .net. You could pass, for example, the encrypted data over the request, and it's the algo. Crypto_x on the HTTP server side that will decrypt and check if it matches something on the server's database, etc.
« Last Edit: October 01, 2021, 09:11:58 am by devEric69 »
use: Linux 64 bits (Ubuntu 20.04 LTS).
Lazarus version: 2.0.4 (svn revision: 62502M) compiled with fpc 3.0.4 - fpDebug \ Dwarf3.

Conte

  • New Member
  • *
  • Posts: 27
Re: The most easy encrypting/decrypting password method?
« Reply #39 on: October 01, 2021, 09:20:47 am »
@devEric69
The app can connect to multiple databases. Each with a user/password. I want to avoid to type every time the credential (or to copy paste from KeepPassX). To add a simple measure of security of course it should be encrypted (the password only). It not need to be strong but not easy to decrypt too.
That's why I am thinking that using windows credential manager could be enough. Because creating what you said is of course more safe, but I don't need that level of security.
I'm trying the code suggested here but the compiler gives a lot of errors:
https://stackoverflow.com/questions/13145112/secure-way-to-store-password-in-windows
« Last Edit: October 01, 2021, 09:25:55 am by Conte »

GetMem

  • Hero Member
  • *****
  • Posts: 3517
Re: The most easy encrypting/decrypting password method?
« Reply #40 on: October 01, 2021, 10:49:11 am »
@Conte

You don't listen do you? Since this annoying thread is keep popping up in my feed, I translated the Windows Credential Manger functions for you. Now please close this thread.

Functions:
Code: Pascal  [Select][+][-]
  1. uses jwaWindows;
  2.  
  3. function CredReadGenericCredentials(const Target: WideString; var Username, Password: WideString): Boolean;
  4. var
  5.   Credential: PCREDENTIALW;
  6.   Le: DWORD;
  7.   ErrMsg: WideString;
  8. begin
  9.   Result := False;
  10.   Credential := nil;
  11.   if not CredReadW(PWideChar(Target), CRED_TYPE_GENERIC, 0, {var}credential) then
  12.   begin
  13.     Le := GetLastError;
  14.     ErrMsg := 'Could not get "' + Target + '" generic credentials: ' + WideString(SysErrorMessage(Le)) + ' ' + WideString(IntToStr(Le));
  15.     OutputDebugStringW(PWideChar(ErrMsg));
  16.     Exit;
  17.   end;
  18.   try
  19.     Username := Credential^.UserName;
  20.     SetString(Password, PWideChar(Credential^.CredentialBlob), Credential^.CredentialBlobSize div 2);
  21.   finally
  22.     CredFree(Credential);
  23.   end;
  24.   Result := True;
  25. end;
  26.  
  27. function CredWriteGenericCredentials(const Target, Username, Password: WideString): Boolean;
  28. var
  29.   Credentials: CREDENTIALW;
  30. begin
  31.   ZeroMemory(@Credentials, SizeOf(Credentials));
  32.   Credentials.TargetName := PWideChar(Target);
  33.   Credentials.Type_ := CRED_TYPE_GENERIC;
  34.   Credentials.UserName := PWideChar(Username);
  35.   Credentials.Persist := CRED_PERSIST_LOCAL_MACHINE;
  36.   Credentials.CredentialBlob := PByte(Password);
  37.   Credentials.CredentialBlobSize := 2*(Length(Password));
  38.   Credentials.UserName := PWideChar(Username);
  39.   Result := CredWriteW(@Credentials, 0);
  40. end;
  41.  
  42. function CredDeleteGenericCredentials(const Target: WideString): Boolean;
  43. begin
  44.   Result := CredDeleteW(PWideChar(Target), CRED_TYPE_GENERIC, 0);
  45. end;  


Usage:
Code: Pascal  [Select][+][-]
  1. const
  2.   Target: WideString = 'Conte''s super safe password until the first memory dump';
  3.  
  4. procedure TForm1.Button1Click(Sender: TObject);
  5. var
  6.   Username: WideString;
  7.   Password: WideString;
  8. begin  
  9.   Username := 'conte';
  10.   Password := '12345';
  11.   if CredWriteGenericCredentials(Target, UserName, Password) then
  12.     ShowMessage('Successfully stored the password!')
  13.   else
  14.     ShowMessage('Crap!');
  15. end;
  16.  
  17. procedure TForm1.Button2Click(Sender: TObject);
  18. var
  19.   UserName: WideString;
  20.   Password: WideString;
  21. begin
  22.   Username := '';
  23.   Password := '';
  24.   if CredReadGenericCredentials(Target, Username, Password) then
  25.     ShowMessage('Username: ' + Username + sLineBreak + 'Password: ' + Password)
  26.   else
  27.     ShowMessage('Crap!')
  28. end;
  29.  
  30. procedure TForm1.Button3Click(Sender: TObject);
  31. begin
  32.   if CredDeleteGenericCredentials(Target) then
  33.     ShowMessage('Succesfully deleted!')
  34.   else
  35.     ShowMessage('Crap!')
  36. end;          


Proof it works:
See attached screenshot.

« Last Edit: October 01, 2021, 11:04:27 am by GetMem »

Warfley

  • Hero Member
  • *****
  • Posts: 621
Re: The most easy encrypting/decrypting password method?
« Reply #41 on: October 01, 2021, 11:54:36 am »
The question with respect to cryptography is always what you want to archive.

Your goal is to store the password so the user does not need to reenter it every time. So my first question is, why do you want to use cryptography in the first place? To make it secure? Well, bad news for you, it isn't.
Encryption can be thought of as putting some information into a box and putting a padlock on it. To open it you need the key for the padlock. If you use cryptography to store a single password, you just moved the problem one step further, because now what do you do with the encryption key? Let the user enter it each time the application starts? Then you traded one password for another, and as users are lazy, probably the exact same password anyway. In the padlock analogy this is like carrying a key so you can open a box with another key inside.
Another solution would be to hardcode the password as a constant in your program, in which case a simple string search through your binary reveals the password. You could try to be smart and obfuscate the password, e.g. let it be generated through a pseudo random number generator like an LSR with a fixed random seed, so it requires some reverse engineering, but thats not real security either. This is basically like just leaving the key hanging in the padlock
Lastly you could simply store the encryption password somewhere on hard disk, but then, why not simply store the original password on hard disk? Which is badically storing the key right next to the box
To get back to the padlock analogy, a padlock is useless if you place the key right next to the box. It is only secure if the key is kept somewhere secure. And if you find the local filesystem of your computer not secure,  there is no point in storing the key there.

Long story short, all you do is replace one password with another but still have the same problems as before.

Simple solution, just don't bother. Programs like Firefox or Chrome store passwords locally without encryption. They encode them differently (I think FF uses Base64 encoding) to not have it in plain text (and thereby easiely searchable) but after all, any additional effort to try to be smart is simply a waste of time. It doesn't get any more secure and you are just making your life harder
« Last Edit: October 01, 2021, 12:04:07 pm by Warfley »

Conte

  • New Member
  • *
  • Posts: 27
Re: The most easy encrypting/decrypting password method?
« Reply #42 on: October 01, 2021, 08:34:38 pm »
@GetMem I had put the wrong uses, I was using jwawincred. Anyway it doesn't work for me. If I run the exe from Lazarus' compiler button it gives me back 'External SIGSEGV error'. If I run the exe as administrator I just receive the 'Crap!' message.
This is the header part of my unit1 before your function starts:
Code: [Select]
unit Unit1;

{$mode objfpc}{$H+}

interface

uses
  Classes, SysUtils, Forms, Controls, Graphics, Dialogs, StdCtrls, jwawindows;

type

  { TForm1 }
                                   

     
    TForm1 = class(TForm)
    Button1: TButton;
    Button2: TButton;
    Button3: TButton;
    procedure Button1Click(Sender: TObject);
    procedure Button2Click(Sender: TObject);
    procedure Button3Click(Sender: TObject);

  private

  public

  end;

var
  Form1: TForm1;

implementation

{$R *.lfm}     

SIGSEGV error appears only when button1 is clicked, the other 2 just show 'crap!'.
« Last Edit: October 01, 2021, 09:24:09 pm by Conte »

GetMem

  • Hero Member
  • *****
  • Posts: 3517
Re: The most easy encrypting/decrypting password method?
« Reply #43 on: October 02, 2021, 08:46:40 am »
What is the error message inside function CredWriteGenericCredential? Put the following line to the end of the function:
Code: Pascal  [Select][+][-]
  1.   //...
  2.   Credentials.UserName := PWideChar(Username);
  3.   Result := CredWriteW(@Credentials, 0);
  4.   ShowMessage(SysErrorMessage(GetLastError) ;  // this one
Did you try to run the program as admin? Also what is your windows version?
« Last Edit: October 02, 2021, 09:02:51 am by GetMem »

Conte

  • New Member
  • *
  • Posts: 27
Re: The most easy encrypting/decrypting password method?
« Reply #44 on: October 02, 2021, 09:02:06 am »
I have run it as admin. I have wind10 64bit.
To set a breakpoint I just set the red ? point on the left of the line?

 

TinyPortal © 2005-2018