MyEarth Posted August 7, 2013 Posted August 7, 2013 (edited) Hi, someone is so gentle to show me the Best - Secure way to store locally a passwords saved from a basic InpuBox()? I have read to don't store the password in the compiled script but put the password crypted in a file, but not in as plain text can be easyly opened Thanks to all Edited August 7, 2013 by MyEarth
Moderators JLogan3o13 Posted August 7, 2013 Moderators Posted August 7, 2013 Did you try a forum search? If you had you would have found this thread that was just opened. '?do=embed' frameborder='0' data-embedContent>> "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum!
MyEarth Posted August 7, 2013 Author Posted August 7, 2013 Yes i have search but i have found only old example ( my bad? ) without the new Cyrpt function
jchd Posted August 7, 2013 Posted August 7, 2013 Never ever store passwords. Store only salted hashes. This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe hereRegExp tutorial: enough to get startedPCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta. SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)
MyEarth Posted August 7, 2013 Author Posted August 7, 2013 Yes write the password with FileWrite(@ScriptDir & "file.ext", GuiCtrlRead($input)) wasn't a good idea "Store only salted hashes", can you show me how to do? And this is the secure way to store a password? Thanks
Moderators JLogan3o13 Posted August 7, 2013 Moderators Posted August 7, 2013 Obviously you didn't read through it very well. There were several other options, such as using _Crypt functions and writing a hash to the registry. "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum!
MyEarth Posted August 7, 2013 Author Posted August 7, 2013 (edited) Wait, i don't need to mix the crypt UDF for crypt the password and the save it on a file using a salted hashes? Or i can write directly the crypted password on the file? Don't seems a good idea. I have some language problem because i'm not a english mother language so, if possible, i prefer something i can read like an example. Thanks to all for the help. Edited August 7, 2013 by MyEarth
jchd Posted August 7, 2013 Posted August 7, 2013 A basic Google search on "store password hash salt" easily points to countless good explanations and informative pages. For instance this one. You can probably read from there or perform a similar search in your native language. This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe hereRegExp tutorial: enough to get startedPCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta. SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)
MyEarth Posted August 7, 2013 Author Posted August 7, 2013 (edited) jchd i don't have found nothing in my language Anyway this are the results of my research. This script is do with the classic _Crypt UDF: #include <Crypt.au3> _Crypt_Startup() $aPass = "My Password" ; testing purporse $hKey = _Crypt_DeriveKey($aPass, $CALG_AES_256) $bEncrypted = _Crypt_EncryptData($aPass, $hKey, $CALG_AES_256) $bDeCrypted = BinaryToString(_Crypt_DecryptData($bEncrypted, $hKey, $CALG_AES_256)) MsgBox(0, "Crypted", $bEncrypted) MsgBox(0, "Decrypted", $bDeCrypted) _Crypt_DestroyKey($hKey) _Crypt_Shutdown() And this with the password hash salt: expandcollapse popup#include <Crypt.au3> $aPass = "My Password" ; testing purporse $aHash = _HashPassword($aPass) MsgBox(0, "Crypted", $aHash) If _CheckPassword($aPass, $aHash) = True Then MsgBox(0, "Decrypted", "Well done") Else MsgBox(0, "Wrong Password", "Something goes wrong") EndIf Func _HashPassword($inPwd, $inSalt = "", $sDelimitator = "|", $inSalt_Number = 40) Local Const $CALG_SHA512 = 0x0000800e Local $sSalt, $sHash, $sPassword Local $sPassword = StringStripWS($inPwd, 3) Local $aSalt = StringSplit("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", "") If $inSalt = "" Then For $i = 1 To $inSalt_Number $sSalt &= $aSalt[Random(1, $aSalt[0], 1)] Next Else $sSalt = $inSalt EndIf _Crypt_Startup() $sHash = $sPassword & $sSalt For $i = 1 To 256 $sHash = _Crypt_HashData($sHash, $CALG_SHA512) If $sHash = -1 Then Return SetError(-1, 0, 0) Else $sHash = StringMid($sHash, 3) EndIf Next _Crypt_Shutdown() Return $sHash & $sDelimitator & $sSalt EndFunc ;==>_HashPassword Func _CheckPassword($inPwd, $inHash, $sDelimitator = "|") Local $sHash, $sSalt $aHash = StringSplit($inHash, $sDelimitator) If Not IsArray($aHash) Or $aHash[0] <> 2 Then Return SetError(1, 0, 0) $sHash = $aHash[1] $sSalt = $aHash[2] If _HashPassword($inPwd, $sSalt, $sDelimitator) <> $inHash Then Return SetError(2, 0, 0) Return True EndFunc ;==>_CheckPassword You guys are absolutely more expert then me, so what do you think? I'll should use the hash salt? Is both well coded or there are errors? What is the most secure? Edited August 8, 2013 by MyEarth
MyEarth Posted August 8, 2013 Author Posted August 8, 2013 I have edited the hash salt function, i have forget to add the custom delimitator when decrypt the password and i have add SetError instead of Return False My questions are always the same: You guys are absolutely more expert then me, so what do you think? I'll should use the hash salt? Is both well coded or there are errors? What is the most secure? Thanks to anyone what to partecipate
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now