Jump to content

Best - Secure way to store passwords


Recommended Posts

Hi, someone is so gentle to show me the Best - Secure way to store locally a passwords saved from a basic InpuBox()?

I have read to don't store the password in the compiled script but put the password crypted in a file, but not in as plain text can be easyly opened :D

Thanks to all

Edited by MyEarth
Link to post
Share on other sites
  • Moderators

Did you try a forum search? If you had you would have found this thread that was just opened.

 

'?do=embed' frameborder='0' data-embedContent>>

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to post
Share on other sites

Never ever store passwords. Store only salted hashes.

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Link to post
Share on other sites
  • Moderators

Obviously you didn't read through it very well. There were several other options, such as using _Crypt functions and writing a hash to the registry.

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to post
Share on other sites

Wait, i don't need to mix the crypt UDF for crypt the password and the save it on a file using a salted hashes?

Or i can write directly the crypted password on the file? Don't seems a good idea.

I have some language problem because i'm not a english mother language so, if possible, i prefer something i can read like an example. Thanks to all for the help.

Edited by MyEarth
Link to post
Share on other sites

A basic Google search on "store password hash salt" easily points to countless good explanations and informative pages. For instance this one.

You can probably read from there or perform a similar search in your native language.

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Link to post
Share on other sites

jchd i don't have found nothing in my language :(

Anyway this are the results of my research.

This script is do with the classic _Crypt UDF:

#include <Crypt.au3>

_Crypt_Startup()

$aPass = "My Password" ; testing purporse
$hKey = _Crypt_DeriveKey($aPass, $CALG_AES_256)
$bEncrypted = _Crypt_EncryptData($aPass, $hKey, $CALG_AES_256)
$bDeCrypted = BinaryToString(_Crypt_DecryptData($bEncrypted, $hKey, $CALG_AES_256))

MsgBox(0, "Crypted", $bEncrypted)
MsgBox(0, "Decrypted", $bDeCrypted)

_Crypt_DestroyKey($hKey)
_Crypt_Shutdown()

And this with the password hash salt:

#include <Crypt.au3>

$aPass = "My Password" ; testing purporse
$aHash = _HashPassword($aPass)
MsgBox(0, "Crypted", $aHash)

If _CheckPassword($aPass, $aHash) = True Then
    MsgBox(0, "Decrypted", "Well done")
Else
    MsgBox(0, "Wrong Password", "Something goes wrong")
EndIf

Func _HashPassword($inPwd, $inSalt = "", $sDelimitator = "|", $inSalt_Number = 40)
    Local Const $CALG_SHA512 = 0x0000800e
    Local $sSalt, $sHash, $sPassword
    Local $sPassword = StringStripWS($inPwd, 3)
    Local $aSalt = StringSplit("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", "")
    If $inSalt = "" Then
        For $i = 1 To $inSalt_Number
            $sSalt &= $aSalt[Random(1, $aSalt[0], 1)]
        Next
    Else
        $sSalt = $inSalt
    EndIf
    _Crypt_Startup()
    $sHash = $sPassword & $sSalt
    For $i = 1 To 256
        $sHash = _Crypt_HashData($sHash, $CALG_SHA512)
        If $sHash = -1 Then
            Return SetError(-1, 0, 0)
        Else
            $sHash = StringMid($sHash, 3)
        EndIf
    Next
    _Crypt_Shutdown()
    Return $sHash & $sDelimitator & $sSalt
EndFunc   ;==>_HashPassword

Func _CheckPassword($inPwd, $inHash, $sDelimitator = "|")
    Local $sHash, $sSalt
    $aHash = StringSplit($inHash, $sDelimitator)
    If Not IsArray($aHash) Or $aHash[0] <> 2 Then Return SetError(1, 0, 0)
    $sHash = $aHash[1]
    $sSalt = $aHash[2]
    If _HashPassword($inPwd, $sSalt, $sDelimitator) <> $inHash Then Return SetError(2, 0, 0)
    Return True
EndFunc   ;==>_CheckPassword

You guys are absolutely more expert then me, so what do you think? I'll should use the hash salt? Is both well coded or there are errors? What is the most secure?

Edited by MyEarth
Link to post
Share on other sites

I have edited the hash salt function, i have forget to add the custom delimitator when decrypt the password and i have add SetError instead of Return False

My questions are always the same:

 

You guys are absolutely more expert then me, so what do you think? I'll should use the hash salt? Is both well coded or there are errors? What is the most secure?

Thanks to anyone what to partecipate

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By izmegna
      I am trying to auto login to web app that has the following HTML for the username, password and submit button:
      USERNAME:
      <input name="usernameField" tabindex="0" class="inp" id="usernameField" type="text" value="" message="FND_SSO_USER_NAME">
      Password:
      <input name="passwordField" tabindex="0" class="inp" id="passwordField" type="password" value="" message="FND_SSO_PASSWORD">
      Login:
      <button tabindex="0" class="OraButton left" style="padding-right: 6px; padding-left: 6px;" onclick="submitCredentials()" message="FND_SSO_LOGIN">Log In</button>
      Following is the AutoIT script I am using I am passing the username and password via cmd but it is not working, any suggestion?
       
      #include <IE.au3>
      Local $url ="https://www.Intra.edwa.com"
      Local $oIE =_IECreate($url)
      _IELoadWait($oIE)
      Local $oUser =_IEGetObjById($oIE,"usernameField")
      Local $oPass =_IEGetObjById($oIE,"passwordField")
      _IEFormElementSetValue($oUser, $CmdLine[1])
      _IEFormElementSetValue($oPass, $CmdLine[2])
      _IELoadWait($oIE)
      $oLinks = _IETagNameGetCollection($oIE, "input")
      For $oLink In $oLinks
          If String($oLink.type) = "submit" And String($oLink.value) = "Sign In" Then
                _IEAction($oLink, "click")
                ExitLoop
          EndIf
      Next
    • By hek
      Hey everyone,
      Was wondering how I would be able to implement this on a local computer instead of using connectserver? 
      Any suggestions or help would be appreciated. Thanks. 
    • By Stormgrade
      Hello.
      I'm french, sorry for my english.
      I release my project, a password manager : Password Keeper
      First I would like to thanks Guinness and Melba23 for their help, and I'm very sorry for those I forget, please remind me to add you.
      Well my program manage and crypt passwords, first I understand if you don't trust me for this kind of sensible software, but I remember you that all the the source files are at your disposal, fell free to explore them.
      The login is : admin and you can change it later
      How it work ? see Methode de cryptage en BDD.pdf in french
      login

       
      The main interface
      You can obviously add,modify and delete your entry, also you can search with keywords

      A password generator is included

      I won't update it anymore.
      It's a BSD license.
      Autoit version : 3.3.14.5
      Have a good day.
      Methode de cryptage en BDD.pdf Passwordkeeper.7z
    • By nacerbaaziz
      hello all, and welcome to this tool
      the NB-Password_generator is a small tool which allow you to create a strong passwords
      with this tool you can create a random passwords using :
      1. capital letters
      2. small letters
      3. numbers
      4. symbols
      be sure that you can check any option that  you want and uncheck what you don't want to use
      this tool allow you to create a password from 6 letters to 150 lettersNB-Password_generator.zip
      at the end please accept my greetings
      am waiting for your commants
    • By Gowrisankar
      Dear members of the forum,
      I need to open excel files that may or may not need a password and finally move the files that needs password to manual queue.
      Is there a fastest way to do this?
       
      PS: I have a huge respect for the rules of this forum. I am not asking assistance to override any security measure. I just need to segregate the files that needs passwords.
×
×
  • Create New...