Jump to content

Best - Secure way to store passwords

MyEarth
 Share

Recommended Posts

MyEarth Universalist

MyEarth

Posted
Posted (edited)

Hi, someone is so gentle to show me the Best - Secure way to store locally a passwords saved from a basic InpuBox()?

I have read to don't store the password in the compiled script but put the password crypted in a file, but not in as plain text can be easyly opened :D

Thanks to all

Edited by MyEarth
Link to comment
Share on other sites
  • Moderators
JLogan3o13 Universalist

JLogan3o13

Posted
  • Moderators
Posted

Did you try a forum search? If you had you would have found this thread that was just opened.

 

'?do=embed' frameborder='0' data-embedContent>>

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites
jchd Universalist

jchd

Posted
Posted

Never ever store passwords. Store only salted hashes.

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Link to comment
Share on other sites
  • Moderators
JLogan3o13 Universalist

JLogan3o13

Posted
  • Moderators
Posted

Obviously you didn't read through it very well. There were several other options, such as using _Crypt functions and writing a hash to the registry.

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites
MyEarth Universalist

MyEarth

Posted
  • Author
Posted (edited)

Wait, i don't need to mix the crypt UDF for crypt the password and the save it on a file using a salted hashes?

Or i can write directly the crypted password on the file? Don't seems a good idea.

I have some language problem because i'm not a english mother language so, if possible, i prefer something i can read like an example. Thanks to all for the help.

Edited by MyEarth
Link to comment
Share on other sites
jchd Universalist

jchd

Posted
Posted

A basic Google search on "store password hash salt" easily points to countless good explanations and informative pages. For instance this one.

You can probably read from there or perform a similar search in your native language.

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Link to comment
Share on other sites
MyEarth Universalist

MyEarth

Posted
  • Author
Posted (edited)

jchd i don't have found nothing in my language :(

Anyway this are the results of my research.

This script is do with the classic _Crypt UDF:

#include <Crypt.au3>

_Crypt_Startup()

$aPass = "My Password" ; testing purporse
$hKey = _Crypt_DeriveKey($aPass, $CALG_AES_256)
$bEncrypted = _Crypt_EncryptData($aPass, $hKey, $CALG_AES_256)
$bDeCrypted = BinaryToString(_Crypt_DecryptData($bEncrypted, $hKey, $CALG_AES_256))

MsgBox(0, "Crypted", $bEncrypted)
MsgBox(0, "Decrypted", $bDeCrypted)

_Crypt_DestroyKey($hKey)
_Crypt_Shutdown()

And this with the password hash salt:

#include <Crypt.au3>

$aPass = "My Password" ; testing purporse
$aHash = _HashPassword($aPass)
MsgBox(0, "Crypted", $aHash)

If _CheckPassword($aPass, $aHash) = True Then
    MsgBox(0, "Decrypted", "Well done")
Else
    MsgBox(0, "Wrong Password", "Something goes wrong")
EndIf

Func _HashPassword($inPwd, $inSalt = "", $sDelimitator = "|", $inSalt_Number = 40)
    Local Const $CALG_SHA512 = 0x0000800e
    Local $sSalt, $sHash, $sPassword
    Local $sPassword = StringStripWS($inPwd, 3)
    Local $aSalt = StringSplit("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", "")
    If $inSalt = "" Then
        For $i = 1 To $inSalt_Number
            $sSalt &= $aSalt[Random(1, $aSalt[0], 1)]
        Next
    Else
        $sSalt = $inSalt
    EndIf
    _Crypt_Startup()
    $sHash = $sPassword & $sSalt
    For $i = 1 To 256
        $sHash = _Crypt_HashData($sHash, $CALG_SHA512)
        If $sHash = -1 Then
            Return SetError(-1, 0, 0)
        Else
            $sHash = StringMid($sHash, 3)
        EndIf
    Next
    _Crypt_Shutdown()
    Return $sHash & $sDelimitator & $sSalt
EndFunc   ;==>_HashPassword

Func _CheckPassword($inPwd, $inHash, $sDelimitator = "|")
    Local $sHash, $sSalt
    $aHash = StringSplit($inHash, $sDelimitator)
    If Not IsArray($aHash) Or $aHash[0] <> 2 Then Return SetError(1, 0, 0)
    $sHash = $aHash[1]
    $sSalt = $aHash[2]
    If _HashPassword($inPwd, $sSalt, $sDelimitator) <> $inHash Then Return SetError(2, 0, 0)
    Return True
EndFunc   ;==>_CheckPassword

You guys are absolutely more expert then me, so what do you think? I'll should use the hash salt? Is both well coded or there are errors? What is the most secure?

Edited by MyEarth
Link to comment
Share on other sites
MyEarth Universalist

MyEarth

Posted
  • Author
Posted

I have edited the hash salt function, i have forget to add the custom delimitator when decrypt the password and i have add SetError instead of Return False

My questions are always the same:

 

You guys are absolutely more expert then me, so what do you think? I'll should use the hash salt? Is both well coded or there are errors? What is the most secure?

Thanks to anyone what to partecipate

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...