Salted Password Hashing

[MyEarth]

Hi,

I'll post here because this script involved many language...but not Autoit

I'll explain better, in this forum i don't have found any example of salted password hashing, on the web there are in every language existing, C, C++, C#, Java, PHP etc. Someone use the PBKDF2, scrypt, or bcrypt library or custom function

Since i don't have found nothing in my language and english is not my best friend, after many research i'm here to "revise" this code for autoit:

expandcollapse popup

#include <Crypt.au3>

$aPass = "My Password" ; testing purporse
$aHash = _HashPassword($aPass)
MsgBox(0, "Crypted", $aHash)

If _CheckPassword($aPass, $aHash) = True Then
    MsgBox(0, "Decrypted", "Well done")
Else
    MsgBox(0, "Wrong Password", "Something goes wrong")
EndIf

Func _HashPassword($inPwd, $inSalt = "", $sDelimitator = "|", $inSalt_Number = 64)
    Local Const $CALG_SHA512 = 0x0000800e
    Local $sSalt, $sHash, $sPassword
    Local $sPassword = StringStripWS($inPwd, 3)
    Local $aSalt = StringSplit("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", "")
    If $inSalt = "" Then
        For $i = 1 To $inSalt_Number
            $sSalt &= $aSalt[Random(1, $aSalt[0], 1)]
        Next
    Else
        $sSalt = $inSalt
    EndIf
    _Crypt_Startup()
    $sHash = $sPassword & $sSalt
    For $i = 1 To 256
        $sHash = _Crypt_HashData($sHash, $CALG_SHA512)
        If $sHash = -1 Then
            Return SetError(-1, 0, 0)
        Else
            $sHash = StringMid($sHash, 3)
        EndIf
    Next
    _Crypt_Shutdown()
    Return $sHash & $sDelimitator & $sSalt
EndFunc   ;==>_HashPassword

Func _CheckPassword($inPwd, $inHash, $sDelimitator = "|")
    Local $sHash, $sSalt
    $aHash = StringSplit($inHash, $sDelimitator)
    If Not IsArray($aHash) Or $aHash[0] <> 2 Then Return SetError(1, 0, 0)
    $sHash = $aHash[1]
    $sSalt = $aHash[2]
    If _HashPassword($inPwd, $sSalt, $sDelimitator) <> $inHash Then Return SetError(2, 0, 0)
    Return True
EndFunc   ;==>_CheckPassword

This is the result:

4D3F6DA9EB0F1FE9B80291A34AC104C28F07E8D6918A6F35EB95EFE47CE7BE79707ACCED7F05DF55095B61CEB1BE15A558CF6D8A893C919EA1A153A14DF3C66D|COiJhdR1tlHKK3IBGup1BunLOn0GweNkzw40OzPtNBazhMjAHontKRdKNFiujW8N

Isn't to easy to remove the "salt part"? It change everytime, the delimenter | can be a "custom" delimenter but the string is too easy to recognize:

|COiJhdR1tlHKK3IBGup1BunLOn0GweNkzw40OzPtNBazhMjAHontKRdKNFiujW8N

After removing the salt, is only a SHA-2, yes safer but the salt is useless in the code. Maybe i can remove the delimeter and use StringRight($inSalt_Number) instead of StrinSplit() and use _Crypt_HashData also on the salt for make an "homogeneous" string?

So please someone more expert the me can check if the code is good or not, if there are mistake or any suggestion are accepted

Edited August 9, 2013 by MyEarth

[James]

Perhaps the source of the UDF you're using would be useful? https://github.com/M3d1c5/HashPassword.au3

[wraithdu]

Isn't to easy to remove the "salt part"?

 

I don't think you understand what it means to salt a password. The salt is never secret, otherwise it would be impossible to validate the password against the hash. Google it.

[MyEarth]

I don't think you understand what it means to salt a password. The salt is never secret, otherwise it would be impossible to validate the password against the hash. Google it.

 

I have ask for help because the situation is not clear for me, and i'll repeat i don't have found nothing in my language. I don't have say to make a secret salt, but how to add a salt can be easyly removed?

 

Perhaps the source of the UDF you're using would be useful? https://github.com/M3d1c5/HashPassword.au3

 

Damn, i have forget to add the hyperlink browser problem. Done

Edited August 9, 2013 by MyEarth