Recent

Author Topic: The most easy encrypting/decrypting password method?  (Read 15415 times)

Conte

  • New Member
  • *
  • Posts: 27
Re: The most easy encrypting/decrypting password method?
« Reply #15 on: September 28, 2021, 09:27:37 pm »
I have in mind this.
First time that the form is opened there's a button to click that will ask for username ans password and will store it.
Next time I'll open the Form and click the button it automatically login (the exe is intended for a user only so there's no need to ask user and psw again).
The exe should contain the key to decrypt the string stored.

Thaddy

  • Hero Member
  • *****
  • Posts: 14205
  • Probably until I exterminate Putin.
Re: The most easy encrypting/decrypting password method?
« Reply #16 on: September 28, 2021, 09:39:11 pm »
I have in mind this.
First time that the form is opened there's a button to click that will ask for username ans password and will store it.
Hopefully not.
Quote
Next time I'll open the Form and click the button it automatically login (the exe is intended for a user only so there's no need to ask user and psw again).
The exe should contain the key to decrypt the string stored.
Never do that. Do not store anything except the hash.
Specialize a type, not a var.

balazsszekely

  • Guest
Re: The most easy encrypting/decrypting password method?
« Reply #17 on: September 28, 2021, 09:49:43 pm »
I have in mind this.
First time that the form is opened there's a button to click that will ask for username ans password and will store it.
Next time I'll open the Form and click the button it automatically login (the exe is intended for a user only so there's no need to ask user and psw again).
The exe should contain the key to decrypt the string stored.
Your method is not safe. It can be easily cracked by an advanced user. However if the goal is to store the credentials in a relatively safe form(not plain text), so a regular user cannot see it then is doable.

MarkMLl

  • Hero Member
  • *****
  • Posts: 6676
Re: The most easy encrypting/decrypting password method?
« Reply #18 on: September 28, 2021, 09:51:42 pm »
I have in mind this.
First time that the form is opened there's a button to click that will ask for username ans password and will store it.
Next time I'll open the Form and click the button it automatically login (the exe is intended for a user only so there's no need to ask user and psw again).
The exe should contain the key to decrypt the string stored.

OK, but never UNDER ANY CIRCUMSTANCES store and use the passphrase as entered because of the risk that the lackwitted user will use the same passphrase for more than one service. Use a seeded hash on the password, if necessary truncate the result (decent hash algorithms are supposed to obfuscate bit patterns adequately), and use /that/ as the password being submitted to the remote service.

What you do locally is your responsibility: it's your computer, or you've got a professional relationship with your clients and are protected by your liability insurance. But you must ALWAYS assume that the service to which you're connecting will eventually get hacked, and you should ALWAYS assume that they aren't protecting their users' passwords adequately, hence you should NEVER put yourself in the position of passing on an incautiously-selected passphrase without hashing it.

I must admit that I do have reservations about your writing code from scratch to store passphrases locally, and if I were doing it I'd be very much inclined to research the availability of some existing library complying with PCI DSS, or interworking with one of the storage mechanisms used by various browsers etc.

(Noting Thaddy's post which has beaten me to the post, but thinking that we're in broad agreement.)
(And noting GetMem's which arrived while I was typing that...)

MarkMLl
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

Conte

  • New Member
  • *
  • Posts: 27
Re: The most easy encrypting/decrypting password method?
« Reply #19 on: September 28, 2021, 10:09:51 pm »
Guys the software will be used by me only. It will be not shared or sold...
That's why the windows lock is enough when I'm not in front of the pc. But to connect on the db (in this case) I do not want to write anytime my username and password. To add some safety I want to store it crypted in the registry.
Codes I tried till now are not working. The only that worked is the one I used to hash a string in sha256. Problem was to decrypt then, I have not put that in mind.
But I need so an easy encryption / decryption way of a simple string.

MarkMLl

  • Hero Member
  • *****
  • Posts: 6676
Re: The most easy encrypting/decrypting password method?
« Reply #20 on: September 28, 2021, 10:14:08 pm »
Guys the software will be used by me only. It will be not shared or sold...
That's why the windows lock is enough when I'm not in front of the pc.

Listen old chap (or kiddo, if you lean towards Americanisms :-) As far as encryption etc. is concerned the important thing is to always assume that you're nowhere near as smart as you think you are. And if you were passably smart you'd have taken the hint given to you already about starting off with at least a partial quote to establish context :-) :-) :-) :-) :-)

MarkMLl
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

balazsszekely

  • Guest
Re: The most easy encrypting/decrypting password method?
« Reply #21 on: September 28, 2021, 10:16:55 pm »
Quote
But I need so an easy encryption / decryption way of a simple string.
Here you go...this is a simple way to Encrypt/Decrypt a string with a key. No extra packages are needed.
Code: Pascal  [Select][+][-]
  1. unit uCrypto;
  2.  
  3. {$mode objfpc}{$H+}
  4.  
  5. interface
  6.  
  7. uses
  8.   Classes, SysUtils, BlowFish, Base64;
  9.  
  10.   function Encrypt(const AKey, AText: String): String;
  11.   function Decrypt(const AKey, AText: String): String;
  12.  
  13. implementation
  14.  
  15. function Encrypt(const AKey, AText: String): String;
  16. var
  17.   SS: TStringStream;
  18.   BES: TBlowFishEncryptStream;
  19. begin
  20.   Result := '';
  21.   if Trim(AText) = '' then
  22.     Exit;
  23.   SS := TStringStream.Create('');
  24.   try
  25.     BES := TBlowFishEncryptStream.Create(AKey, SS);
  26.     try
  27.       BES.Write(Pointer(AText)^, Length(AText));
  28.     finally
  29.       BES.Free;
  30.     end;
  31.     Result := EncodeStringBase64(SS.DataString);
  32.   finally
  33.     SS.Free;
  34.   end;
  35. end;
  36.  
  37. function Decrypt(const AKey, AText: String): String;
  38. var
  39.   SS: TStringStream;
  40.   BDS: TBlowFishDeCryptStream;
  41.   Str, Txt: String;
  42. begin
  43.   Result := '';
  44.   if Trim(AText) = '' then
  45.     Exit;
  46.   Str := '';
  47.   Txt := DecodeStringBase64(AText);
  48.   SS := TStringStream.Create(Txt);
  49.   try
  50.     BDS := TBlowFishDeCryptStream.Create(AKey, SS);
  51.     try
  52.       SetLength(Str, SS.Size);
  53.       BDS.Read(Pointer(Str)^, SS.Size);
  54.       Result := Str;
  55.     finally
  56.       BDS.Free;
  57.     end;
  58.   finally
  59.     SS.Free;
  60.   end;
  61. end;
  62.  
  63. end.
  64.  

Conte

  • New Member
  • *
  • Posts: 27
Re: The most easy encrypting/decrypting password method?
« Reply #22 on: September 28, 2021, 10:33:49 pm »
Did you just coded it? Thanks.
If it was commented it was better to learn  :D

Edit: just read base64 is unsafe.
« Last Edit: September 28, 2021, 11:12:35 pm by Conte »

balazsszekely

  • Guest
Re: The most easy encrypting/decrypting password method?
« Reply #23 on: September 29, 2021, 06:21:51 am »
@Conte

Quote
Edit: just read base64 is unsafe.
Blowfish, the main part of the encryption is Blowfish. Base64 is just for cosmetic purposes, so the end result don't look like a vomit.
Is it safe? No, but not because of Blowfish. Your executable can be easily disassembled, the password will reveal itself like a magic.

Thaddy

  • Hero Member
  • *****
  • Posts: 14205
  • Probably until I exterminate Putin.
Re: The most easy encrypting/decrypting password method?
« Reply #24 on: September 29, 2021, 06:59:06 am »
The auto-login can be achieved by the following schematic:
First time use: compare the hashed credentials from the first login.
If that is OK, issue a public certificate to the user..
After that certificate is issued you can skip further pw logins - in code - on that machine.
The program will only run on that single machine , for a single user and nobody but its user can use the application. With e.g. OpenSSL - or with a bit more effort in code -you can create a certificate authority server side.
You can create client certificates in code or also with OpenSSL.
You may have to do some admin to have the certificate accepted on your machine or use commercially available certificates.
The only direct vulnerability is the possibility that someone else is able to access the user account: in that case it is fatal, so everything relies on strong passwords for access to that OS account. Another option is to store the user certificate on a portable medium instead of the certificate store. That would not even need further credentials. This is a bit like how RSA sticks work.
Once you understand this and implemented it you are able to create software that rely on "certificate walls" i.e. machines and domains that share data with eachother must have certificates that are part of the same certificate chain and issued by the same authority.
« Last Edit: September 29, 2021, 07:14:38 am by Thaddy »
Specialize a type, not a var.

dbannon

  • Hero Member
  • *****
  • Posts: 2786
    • tomboy-ng, a rewrite of the classic Tomboy
Re: The most easy encrypting/decrypting password method?
« Reply #25 on: September 29, 2021, 07:13:22 am »
I remember doing something like what Conte wants a very many years ago when security was not seen as important. With a password embedded in the binary, all you needed to see it was the strings command.  So, I broke the password up into several bits declared in different places. But the compiler's optimization put it all back together again ! Sigh.

But, what Conte wants is not that different to what we do with our browsers every day, we go to some web site, perhaps gitlab, enter our password and the browser wants to save it for us.  Come back tomorrow and its all there cached. I am guessing Firefox encrypts your (not mine) password and decrypts it when its needed the next day ?

OAuth and similar systems are better ....

Davo
Lazarus 3, Linux (and reluctantly Win10/11, OSX Monterey)
My Project - https://github.com/tomboy-notes/tomboy-ng and my github - https://github.com/davidbannon

Thaddy

  • Hero Member
  • *****
  • Posts: 14205
  • Probably until I exterminate Putin.
Re: The most easy encrypting/decrypting password method?
« Reply #26 on: September 29, 2021, 07:16:02 am »
Quote
OAuth and similar systems are better ....
Actually, that is an implementation of part of what I described  :D
For OP this is a good solution too and we have OAUTH/OAuth2 code as standard in the FPC standard libraries. (Actally two) e.g. the google one. The downside is it requires internet access, so is less applicable to private networks. It also requires a Google Key to develop.
« Last Edit: September 29, 2021, 07:21:38 am by Thaddy »
Specialize a type, not a var.

MarkMLl

  • Hero Member
  • *****
  • Posts: 6676
Re: The most easy encrypting/decrypting password method?
« Reply #27 on: September 29, 2021, 09:02:13 am »
But, what Conte wants is not that different to what we do with our browsers every day, we go to some web site, perhaps gitlab, enter our password and the browser wants to save it for us.  Come back tomorrow and its all there cached. I am guessing Firefox encrypts your (not mine) password and decrypts it when its needed the next day ?

I've not investigated in detail how it works but it's possible to use an external program to decode and dump Mozilla's stored passphrases for backup purposes. And while Firefox etc. are commendably thorough about asking for the master password at startup and when anything is to be displayed in clear, my recollection is that the dump program doesn't- even when first installed.

And again I'd emphasise that Mozilla's way of doing it is questionable in that it does absolutely nothing to prevent a user using the same passphrase for multiple online services.

Having said which, as a modestly clued-up user who is careful to not reuse passphrases, I'm rather happier with Mozilla's password management than I am with any third-party service that manages plaintext passphrases.

MarkMLl
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

linnemann

  • New Member
  • *
  • Posts: 34

MarkMLl

  • Hero Member
  • *****
  • Posts: 6676
Re: The most easy encrypting/decrypting password method?
« Reply #29 on: September 29, 2021, 10:19:44 am »
Just wanted to add this great article about PW hashing.

https://medium.com/@marcusfernstrm/hash-it-like-you-mean-it-proper-password-hashing-in-freepascal-55c85bad4a96

Thanks for that, and kudos to the original author. I skimmed it half-way then went back to the beginning to read it properly: it really is a very worthwhile summary.

MarkMLl
MT+86 & Turbo Pascal v1 on CCP/M-86, multitasking with LAN & graphics in 128Kb.
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

 

TinyPortal © 2005-2018