Programs with passwords

[I_Need_Money]

Does anyone here know how most programs out there manage non-hardcoded passwords? This is something I've been thinking about a lot recently but can't figure out. By non-hardcoded I mean that the program doesn't employ a strategy like this (pseudocode):

get_user_input(pwd)
if pwd != "blahblah"
    print "incorrect password"
    exit
else
    do stuff

For instance, I use a program called cryptext which allows you to encrypt a file by right-clicking on it and choosing the "encrypt" option from the context menu. When you select "encrypt" the program prompts you for a password and, if the password is correct, encrypts the file. It also allows you to change your password at any time.

How does it do this? It can't just be storing a password in some text file somewhere since that would make it too easy for others to find your password. And it can't be using some hard-coded password since it allows you to change your password at any time.

The main reason I ask is not just because I'm curious but because I'd like to have some kind of password system in a program that I'm writing. If it's too complicated then is there at least a free library out there that I can use (preferably in C/C++)?

 

[mikeblas]

Obivously, at some point, the program does compare the provided password with a list of known passwords, and then decides if it worked or not. So your pseudocode is correct, even if at an abstract level.

The way it works can depend on the application. Is this a program that you'll run on a server, or that many users will run on their client machine?

If it's on a server, and you carefully control access to the code, why not just use plain text in the code?

If it's code that runs in the hands the users, then you have a bit of a harder problem. Eventually, someone can break it, since they have the code and time to study it.

The README.TXT file describes how CryptText works pretty well. Both your password and the key you supply are required to decrypt a file. The key is stored in the registry, but not in plain text.

 

[Twister]

One popular technique is to store a hash to the password somewhere. Preferably in a file only readable by that particular user. Any algorithm similar to MD5 or SHA1 would do. Note, MD5/SHA1 have been semi-broken recently, but for average data security they are still pretty good.

 

[mikeblas]

One popular technique is to store a hash to the password somewhere.

Maybe you missed the end of my post, where I pointed out that it was stored in the registry. Specifically, it ends up at HKCU/Software/Cryptext/Configuration in a value named HashedKey.

 

[I_Need_Money]

Thanks for the help.

My program won't be on a server, it's just going to be a regular program run on one machine. What I was planning on writing was a library system. There would be a record (a text file I guess) of all the books in the library with information such as quantity, the title and so on. People could login (which is why I want to know about passwords) with their username and password and non-staff users could view and check out books while the staff would have the additional privilege of ordering books for the library.

This is homework, but all that's required is to have plain text files with info and passwords in them. So I thought I'd use this as an opportunity to do something more and learn about passwords and related stuff even though it's not required.

I read the readme.txt file for cryptext and that exact strategy was a little over my head. For my purposes, do you think it would be alright to get some MD5/SHA-1 algorithm off the Internet and use it to store a hash of the password into a text file, then when the password is entered the program would just encrypt that and compare the output to what's in the text file? Do you guys have any recommendation for how I should go about making this program? I don't really know where to start.

 

[mikeblas]

Well, why not nail the basic requirement first? Then, you can revisit it and try different ways to encrypt the data file, and so on.

Which OS are you using? Windows? Something else?

For my purposes, do you think it would be alright to get some MD5/SHA-1 algorithm off the Internet and use it to store a hash of the password into a text file, then when the password is entered the program would just encrypt that and compare the output to what's in the text file?

That's one way to skin the cat.

The hashing algorithms work by mixing a key with the original data and trying to massage it in an unpredictable way. Of course, since a computer is doing it, it's slightly predictable. It's just very difficult to go backward.

If I give you a number and tell you to add 50 to it, you can do so and give me back the resulting number. If I subtract 50 from the number you give me, I certainly know what the original number was. Subtracting fifty is the inverse function to adding fifty.

The hashes, in theory, don't have an inverse function. If I give you my text and you hash it against a key, there's no function I can do on the resulting data that will tell me the key that was used. Or the resulting data; I need both.

The problem is that your program will have the hash baked-into it. It has to, otherwise it'll never get the plaintext itself. So if I'm good at disassembling programs and debugging them, I can probably figure out the key.

Is that good enough for a homework assignment? Probably. Should you ship some software based on that idea alone? Probably not!

 

[I_Need_Money]

Which OS are you using? Windows? Something else?

I use Windows, but I wasn't planning on writing a Windows program. I just wanted to use standard C++ for everything so the program could run on whatever platform it's compiled on.

I've decided to go with your strategy and get the basic requirement done first and do all this password stuff later. But the more I think about my program the more things I find wrong with it. What good is my crappy password protection if the book records are stored as a plain text file? Someone could just go and mess around with that. Then the password system wouldn't even be an obstacle at all. The book records should not be open to regular users, so I think the only way sane people in the real world would go about making this system would be through some kind of a client/server thing, with all the records on the server computer. Is that right? Is there a way to reasonably make this progam so everything works on just one computer? Do the library records have to be encrypted too!?

All the programs I've written so far have been stuff like "write a linked list class" or "write an algorithm to do this" or something like that. This security stuff is completely new to me so I don't even know what I'm doing.