Jump to content
Sign in to follow this  
michaelslamet

[ASK] Password hashing

Recommended Posts

michaelslamet

Ok, I understand we cant save plain password text on the AutoIt (compiled or not) for a safety reason.

I (just) understand how to use password hashing if the user need to enter password.

Something like this:

$server_password_hash = "380183901830210"

$user_entered_password = InputBox("Security Check", "Enter your password.", "", "*")

If hash($user_entered_password) <> $server_password_hash then
     Msgbox(0, "Info", "Wrong Password!")
     Exit
else
     continue
endif

But what if we want to connect to the mysql server to read databases without user need to input the password?

Something like this:

$mysql_username ="myusername"
$mysql_password_in_hash = "981891839193231"
$mysql_database_name = "mydatabase"
$mysql_server_name = "mywebsite.com"

$SQLInstance = _MySQLConnect($mysql_username, unhash($mysql_password_in_hash), $mysql_database_name, $mysql_server_name)

If somebody decompile to code, he could easily get the password with unhash($mysql_password_in_hash), so where is the point hashing the password in this scenario?

Please enlight me :)

Hope that I'm not starting a hamster wheel again in this thread and got my thread stopped :D

Share this post


Link to post
Share on other sites
BrewManNH

What's the point of password protecting the database if anyone that uses this script won't need it?


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites
michaelslamet

Aha! I got your point, BrewManNH!

You mean I should create a new user for reading this database (currently i connect to the database as root) and ask the user to enter the password everytime he start this script?

Share this post


Link to post
Share on other sites
AZJIO

@dwerf, http://autoit-script.ru/index.php/topic,2241.msg16333.html#msg16333

#include <string.au3>

;~ $sCryptedPass = _StringEncrypt(1, 'qwerty', 'qwerty')
$sCryptedPass = '9BA81FDF0B89502F8E2B599A'

$sPassInput = InputBox('Password', 'Enter your password (qwerty):', '', '*')
If @error Then Exit

If _StringEncrypt(0, $sCryptedPass, $sPassInput) = $sPassInput Then
    Execute(_StringEncrypt(0, _
    'E3DD1FA20B8B512F8F59599BA2BFDC054B10F068FDE104C0EE6' & _
    '0BC5B63C52E214CD5891A3DF915F03BBB24439C92632BEF9178' & _
    '484514F0D06D7AA2169B911BB8E2CF588470D2B7CA256DA4555' & _
    'CECAAE8039CF1DF9CE5190B2997EFD6CDBF97A99B9C0D088A00' , _
    $sPassInput))
Else
    MsgBox(0, 'False', '"' & $sPassInput & '" is false.')
EndIf
Edited by AZJIO

Share this post


Link to post
Share on other sites
Mat

I think BrewManNH was suggesting you make a new user with only read access, who has no password (or has a password you just store in plaintext).

That way the sql server has to worry about security, not your script.

Just make sure there isn't any sensitive data in tables that you don't want anyone to be able to read!

Share this post


Link to post
Share on other sites
michaelslamet

I think BrewManNH was suggesting you make a new user with only read access, who has no password (or has a password you just store in plaintext).

That way the sql server has to worry about security, not your script.

Just make sure there isn't any sensitive data in tables that you don't want anyone to be able to read!

Aha! I got your point, BrewManNH!

You mean I should create a new user for reading this database (currently i connect to the database as root) and ask the user to enter the password everytime he start this script?

Ok, I've been thinking over and over again. Mat were right, this is not it suppose to do.

This is the scenario:

User input username and password, and I need to verify that username and password against the one that store in mysql database.

So I need to connect to the mysql database using password that NOT INPUTTED by user, because I cant let the user know the database password, right?

How that could possible without I explicily store the mysql database password on the source code?

Share this post


Link to post
Share on other sites
michaelslamet

@dwerf, http://autoit-script.ru/index.php/topic,2241.msg16333.html#msg16333

#include <string.au3>

;~ $sCryptedPass = _StringEncrypt(1, 'qwerty', 'qwerty')
$sCryptedPass = '9BA81FDF0B89502F8E2B599A'

$sPassInput = InputBox('Password', 'Enter your password (qwerty):', '', '*')
If @error Then Exit

If _StringEncrypt(0, $sCryptedPass, $sPassInput) = $sPassInput Then
Execute(_StringEncrypt(0, _
'E3DD1FA20B8B512F8F59599BA2BFDC054B10F068FDE104C0EE6' & _
'0BC5B63C52E214CD5891A3DF915F03BBB24439C92632BEF9178' & _
'484514F0D06D7AA2169B911BB8E2CF588470D2B7CA256DA4555' & _
'CECAAE8039CF1DF9CE5190B2997EFD6CDBF97A99B9C0D088A00' , _
$sPassInput))
Else
MsgBox(0, 'False', '"' & $sPassInput & '" is false.')
EndIf

AZJIO, thanks a lot, this seems promising!

Using above example, the encrypted password for "qwerty" is "9BA81FDF0B89502F8E2B599A"

And there is no way to decrypt "9BA81FDF0B89502F8E2B599A" back to "qwerty" ? It's only 1 way?

Share this post


Link to post
Share on other sites
michaelslamet

AZJIO, thanks a lot, this seems promising!

Using above example, the encrypted password for "qwerty" is "9BA81FDF0B89502F8E2B599A"

And there is no way to decrypt "9BA81FDF0B89502F8E2B599A" back to "qwerty" ? It's only 1 way?

Seems like this can be decrypted back, not 1 way :(

So what is the point if it can be decypted back?

Share this post


Link to post
Share on other sites
michaelslamet

I should use MD5 for this task. Am I correct? Need advice!

Share this post


Link to post
Share on other sites
Mat

When you set the password in the database, set it to the hash rather than the plaintext password?

Share this post


Link to post
Share on other sites
AZJIO

You want that the user entered the password and that he didn't know this password?

Share this post


Link to post
Share on other sites
michaelslamet

You want that the user entered the password and that he didn't know this password?

You missunderstood me.

User input username and password, and I need to verify that username and password against the one that store in mysql database.

The MySQL database contain something like this:

username1 = ...

password1 = ...

username2 = ...

password2 = ...

For me to verify the password, I need to connect to the MySQL database using a correct username and password, not the username and password that inputted by the user.

How can I read username and password for read the MySQL database without store it in the source code?

Or how can i safely store the password in the source code?

Share this post


Link to post
Share on other sites
michaelslamet

You want that the user entered the password and that he didn't know this password?

You missunderstood me.

User input username and password, and I need to verify that username and password against the one that store in mysql database.

The MySQL database contain something like this:

username1 = ...

password1 = ...

username2 = ...

password2 = ...

For me to verify the password, I need to connect to the MySQL database using a correct username and password, not the username and password that inputted by the user.

How can I read username and password for read the MySQL database without store it in the source code?

Or how can i safely store the password in the source code?

Share this post


Link to post
Share on other sites
michaelslamet

When you set the password in the database, set it to the hash rather than the plaintext password?

Good idea. But how?

When we save it as hash (rather than plaintext password), at the same source-code we will need to tell the script how to decrypt it, right?

(remember, we dont ask for user input for this password)

If somebody decrypt our code, he will easily know the password, in hash or plaintext.

Do I missing something?

Share this post


Link to post
Share on other sites
michaelslamet

You can not do anything. Never store passwords in the script.

So the only way is to ask the user enter the database password?

If he know the database password, he can create his own script and read all of the data, not limited to what our script providing him, which is a bad idea.

So there is no solution for this problem?

Share this post


Link to post
Share on other sites
jchd

Please explain your goal more clearly.

From reading the thread I'd say that there are a few points to consider:

  • NEVER EVER store couples {login, password} in cleartext anywhere, especially in a DB. Always store hashes, preferably using salt.
  • Any script or program can be reverse-engineered, so don't store credentials in scripts/programs either.
  • Since your compiled script can be revere-engineered (please don't try talking this subject further here) what is the purpose of obtaining a {login, password} validity status from a remote DB? Without discussing further details, just realize that the script can be circumvented to bypass the validity check.
  • If you want to only allow access or operation on a local PC after credentials checking, why not use a local credentials checking procedure? Depending on the operation you want to allow/deny locally, the local OS may offer you a native way to do so.
  • The typical way to use credentials over a network is to supply {login, password} thru a safe channel to obtain access to remote resource (just like a forum e.g. this one). If the resource is local, either lock its access using local OS features or use to remote credentials validation obtain a unique "secret" (unique piece of data or code) necessary for accessing a local resource.
Edited by jchd

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×