Best - Secure way to store passwords

[MyEarth]

Hi, someone is so gentle to show me the Best - Secure way to store locally a passwords saved from a basic InpuBox()?

I have read to don't store the password in the compiled script but put the password crypted in a file, but not in as plain text can be easyly opened

Thanks to all

Edited August 7, 2013 by MyEarth

[JLogan3o13]

Did you try a forum search? If you had you would have found this thread that was just opened.

 

'?do=embed' frameborder='0' data-embedContent>>

[MyEarth]

Yes i have search but i have found only old example ( my bad? ) without the new Cyrpt function

[jchd]

Never ever store passwords. Store only salted hashes.

[MyEarth]

Yes write the password with FileWrite(@ScriptDir & "file.ext", GuiCtrlRead($input)) wasn't a good idea

"Store only salted hashes", can you show me how to do? And this is the secure way to store a password? Thanks

[JLogan3o13]

Obviously you didn't read through it very well. There were several other options, such as using _Crypt functions and writing a hash to the registry.

[MyEarth]

Wait, i don't need to mix the crypt UDF for crypt the password and the save it on a file using a salted hashes?

Or i can write directly the crypted password on the file? Don't seems a good idea.

I have some language problem because i'm not a english mother language so, if possible, i prefer something i can read like an example. Thanks to all for the help.

Edited August 7, 2013 by MyEarth

[jchd]

A basic Google search on "store password hash salt" easily points to countless good explanations and informative pages. For instance this one.

You can probably read from there or perform a similar search in your native language.

[MyEarth]

jchd i don't have found nothing in my language

Anyway this are the results of my research.

This script is do with the classic _Crypt UDF:

#include <Crypt.au3>

_Crypt_Startup()

$aPass = "My Password" ; testing purporse
$hKey = _Crypt_DeriveKey($aPass, $CALG_AES_256)
$bEncrypted = _Crypt_EncryptData($aPass, $hKey, $CALG_AES_256)
$bDeCrypted = BinaryToString(_Crypt_DecryptData($bEncrypted, $hKey, $CALG_AES_256))

MsgBox(0, "Crypted", $bEncrypted)
MsgBox(0, "Decrypted", $bDeCrypted)

_Crypt_DestroyKey($hKey)
_Crypt_Shutdown()

And this with the password hash salt:

expandcollapse popup

#include <Crypt.au3>

$aPass = "My Password" ; testing purporse
$aHash = _HashPassword($aPass)
MsgBox(0, "Crypted", $aHash)

If _CheckPassword($aPass, $aHash) = True Then
    MsgBox(0, "Decrypted", "Well done")
Else
    MsgBox(0, "Wrong Password", "Something goes wrong")
EndIf

Func _HashPassword($inPwd, $inSalt = "", $sDelimitator = "|", $inSalt_Number = 40)
    Local Const $CALG_SHA512 = 0x0000800e
    Local $sSalt, $sHash, $sPassword
    Local $sPassword = StringStripWS($inPwd, 3)
    Local $aSalt = StringSplit("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", "")
    If $inSalt = "" Then
        For $i = 1 To $inSalt_Number
            $sSalt &= $aSalt[Random(1, $aSalt[0], 1)]
        Next
    Else
        $sSalt = $inSalt
    EndIf
    _Crypt_Startup()
    $sHash = $sPassword & $sSalt
    For $i = 1 To 256
        $sHash = _Crypt_HashData($sHash, $CALG_SHA512)
        If $sHash = -1 Then
            Return SetError(-1, 0, 0)
        Else
            $sHash = StringMid($sHash, 3)
        EndIf
    Next
    _Crypt_Shutdown()
    Return $sHash & $sDelimitator & $sSalt
EndFunc   ;==>_HashPassword

Func _CheckPassword($inPwd, $inHash, $sDelimitator = "|")
    Local $sHash, $sSalt
    $aHash = StringSplit($inHash, $sDelimitator)
    If Not IsArray($aHash) Or $aHash[0] <> 2 Then Return SetError(1, 0, 0)
    $sHash = $aHash[1]
    $sSalt = $aHash[2]
    If _HashPassword($inPwd, $sSalt, $sDelimitator) <> $inHash Then Return SetError(2, 0, 0)
    Return True
EndFunc   ;==>_CheckPassword

You guys are absolutely more expert then me, so what do you think? I'll should use the hash salt? Is both well coded or there are errors? What is the most secure?

Edited August 8, 2013 by MyEarth

[MyEarth]

I have edited the hash salt function, i have forget to add the custom delimitator when decrypt the password and i have add SetError instead of Return False

My questions are always the same:

  Quote

 

You guys are absolutely more expert then me, so what do you think? I'll should use the hash salt? Is both well coded or there are errors? What is the most secure?

Thanks to anyone what to partecipate