I am creating a dialog in wxPython for log in
purposes. Basically when the user clicks the ok
button, the dialog box saves the user name and
password as class attributes. Then as long as the
dialog exists calling MyDialog.GetUse rName() and
MyDialog.GetPas sword() returns them. This seems
insecure to me. Is there a better way to go about this
or is it safe as long as I destroy the dialog as soon
as I am done with it?
On a similar note, I want to save the password to a
file. How do I encrypt the password? I assume straight
binary is too easy to reverse engineer though my
program isn't really saving any vital information so
it may be acceptable. Any ideas or links would be very
appreciated.
Thanks in advance,
Todd A. Johnson
_______________ _______________ ____
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com 14 2934
Todd Johnson wrote: I am creating a dialog in wxPython for log in purposes. Basically when the user clicks the ok button, the dialog box saves the user name and password as class attributes. Then as long as the dialog exists calling MyDialog.GetUse rName() and MyDialog.GetPas sword() returns them. This seems insecure to me.
Why do you feel it's insecure?
On a similar note, I want to save the password to a file. How do I encrypt the password?
You don't encrypt passwords, you hash them. That means use a
cryptographical ly strong hashing algorithm such as SHA or MD5
and store the resulting value. Later, when a user has entered
a password which you want to check against the correct one, you
run the same hash algorithm on the password-under-test and compare
the result with the stored result. The hash algorithm is designed
so that it's computationally infeasible to reverse-engineer a
password that corresponds to a given hash value, making it about
as good as storing the real thing without the insecurity in
that approach. Luckily, these algorithms are already implemented
for you so you don't need to deal with the complexities.
Note, however, the likelihood that somebody interested in
cracking this whole system could easily do things like change
the Python source, or modify the password file that contains the
hash value, substituting their own pre-calculated hash which
matches the password they wish to enter.
Assuming you are just trying to prevent casual intrusion and
there's really nothing valuable involved, a simple hash using
the sha or md5 module would probably do fine. Of course, at this
point I fully expect a dozen people with more background in
security to start stomping all over this advice and tell you
how wrong it is, but I live to provide people with that kind of
opportunity. ;-)
I encourage you to learn more about this, too, by searching the
web or something. Time spent studying security issues will always
repay itself, no matter your current level of expertise...
-Peter
On Mon, 22 Sep 2003 19:32:50 -0400, Peter Hansen wrote: Todd Johnson wrote: On a similar note, I want to save the password to a file. How do I encrypt the password?
You don't encrypt passwords, you hash them. That means use a cryptographical ly strong hashing algorithm such as SHA or MD5 and store the resulting value. Later, when a user has entered a password which you want to check against the correct one, you run the same hash algorithm on the password-under-test and compare the result with the stored result. [...] -Peter
Hi Peter,
what about if I would reload an entered password?
I wrote an e-mail client, and I haven't found a way to store the password
that an user enter the first time and use it when the program is restarted.
I don't want to ask to the user every time the account password, but also
I don't want to store it as plain text.
Do you know what is the usual practice in these cases?
Thanks,
Riccardo
--
-=Riccardo Galli=-
_,e.
s~ ``
~@. ideralis Programs
.. ol
`**~ http://www.sideralis.net
Riccardo Attilio Galli wrote: On Mon, 22 Sep 2003 19:32:50 -0400, Peter Hansen wrote:
Todd Johnson wrote: On a similar note, I want to save the password to a file. How do I encrypt the password?
You don't encrypt passwords, you hash them. That means use a cryptographical ly strong hashing algorithm such as SHA or MD5 and store the resulting value. Later, when a user has entered a password which you want to check against the correct one, you run the same hash algorithm on the password-under-test and compare the result with the stored result. [...]
what about if I would reload an entered password? I wrote an e-mail client, and I haven't found a way to store the password that an user enter the first time and use it when the program is restarted. I don't want to ask to the user every time the account password, but also I don't want to store it as plain text. Do you know what is the usual practice in these cases?
As near as I can understand your questions, the approach I provided
solves all these issues. You need to do a little research into this
stuff on the web, or do some experimentation , before you'll understand
it well enough to use it, perhaps.
In a nutshell, this is the point: you never use the plaintext form of
the password. As soon as it is entered, you convert it to a hash. You
store the hash, and if a user later enters a password and you need to
check it, you convert *it* to a hash and compare the hashes. Never,
ever, store or compare plain text passwords. Does that help?
-Peter
"Riccardo Attilio Galli" <ri*****@riquit o.matrix> wrote in message
news:pa******** *************** *****@riquito.m atrix... On Mon, 22 Sep 2003 19:32:50 -0400, Peter Hansen wrote:
I don't want to ask to the user every time the account password, but also I don't want to store it as plain text.
Do you know what is the usual practice in these cases?
The usual practice is to store the password in some trivially breakable encryption
scheme, preserving some illusion of security.
Richard Brodie wrote: "Riccardo Attilio Galli" <ri*****@riquit o.matrix> wrote in message news:pa******** *************** *****@riquito.m atrix... On Mon, 22 Sep 2003 19:32:50 -0400, Peter Hansen wrote:
I don't want to ask to the user every time the account password, but also I don't want to store it as plain text.
Do you know what is the usual practice in these cases?
The usual practice is to store the password in some trivially breakable encryption scheme, preserving some illusion of security.
Hah! :-) True... sadly.
I'll say what I said a moment ago in the other response, but in a different way.
If it is possible to retrieve the plaintext password, whether because it was
stored in plaintext or because it was stored with some trivially breakable
encryption scheme (or even if it was stored with an incredibly sophisticated
encyprtion scheme), the system is broken. Nobody, adminstrators included,
should ever be able to retrieve the plaintext password of a user, and even with
a fancy encryption scheme, there is always a separate password or key which
can be used to reverse the encryption.
Use hashes.
-Peter
On Tue, 23 Sep 2003 09:28:49 -0400, Peter Hansen wrote: Riccardo Attilio Galli wrote: what about if I would reload an entered password? I wrote an e-mail client, and I haven't found a way to store the password that an user enter the first time and use it when the program is restarted. I don't want to ask to the user every time the account password, but also I don't want to store it as plain text. Do you know what is the usual practice in these cases?
[...] In a nutshell, this is the point: you never use the plaintext form of the password. As soon as it is entered, you convert it to a hash. You store the hash, and if a user later enters a password and you need to check it, you convert *it* to a hash and compare the hashes. Never, ever, store or compare plain text passwords. Does that help?
-Peter
I think you have misunderstood me(mmm, I hope it sound polite enough in
english). An user should never enter the password again. I know how hashes
work, and they're useful when I can compare an entered password with an
hash value, but here I need that the user don't enter a password anymore
(after the first time).
The natural use of the program would be:
run the e-mail client for the first time
user enter his e-mail password
the client check for new mails
user close the client.
while 1:
user run the e-mail client
the client check for new mails WITHOUT ask for a password
user close the client
I hope I was clearer. I think Richard got the point, whit a "sad but true"
answer.
Ciao,
Riccardo
--
-=Riccardo Galli=-
_,e.
s~ ``
~@. ideralis Programs
.. ol
`**~ http://www.sideralis.net
In article <pa************ *************** *@riquito.matri x>,
Riccardo Attilio Galli <ri*****@riquit o.matrix> wrote: I think you have misunderstood me(mmm, I hope it sound polite enough in english). An user should never enter the password again. I know how hashes work, and they're useful when I can compare an entered password with an hash value, but here I need that the user don't enter a password anymore (after the first time).
The natural use of the program would be: run the e-mail client for the first time user enter his e-mail password the client check for new mails user close the client.
while 1: user run the e-mail client the client check for new mails WITHOUT ask for a password user close the client
This is extremely difficult to do in a secure way. What you need to do
is encrypt the e-mail password before storage; each time the user starts
the e-mail application, zie needs to enter the local password. There are
other less secure options, all of which (with some partial exceptions)
equate to "no security" from the perspective of a security professional.
(E.g. relying on the OS to keep the data secure.)
Python does not make encryption available in its "batteries included"
philosophy because of the legal problems. M2Crypto is probably the
module most often used; see also http://www.amk.ca/python/code/crypto.html
--
Aahz (aa**@pythoncra ft.com) <*> http://www.pythoncraft.com/
"It is easier to optimize correct code than to correct optimized code."
--Bill Harlan
Riccardo Attilio Galli wrote: On Tue, 23 Sep 2003 09:28:49 -0400, Peter Hansen wrote: I think you have misunderstood me(mmm, I hope it sound polite enough in english). An user should never enter the password again. I know how hashes work, and they're useful when I can compare an entered password with an hash value, but here I need that the user don't enter a password anymore (after the first time).
The natural use of the program would be: run the e-mail client for the first time user enter his e-mail password the client check for new mails user close the client.
while 1: user run the e-mail client the client check for new mails WITHOUT ask for a password user close the client
I hope I was clearer. I think Richard got the point, whit a "sad but true" answer.
Ciao, Riccardo
I Really think he didn't understand you because hashing a password that
you will need again isn't possible. You need to store the password in a
crypt way, but I don't know how to generate the master password(the one
that is used by the crypto program to encrypt the pop or imap
passoword). I really don't understand a lot about encrypting something,
but sha1 and md5 are not reversible. If they were, then I would download
only the signature of a file and not the file. Now you need to know how
mozilla does it.
On Tue, 23 Sep 2003 12:34:56 -0400, Aahz wrote: This is extremely difficult to do in a secure way. What you need to do is encrypt the e-mail password before storage; each time the user starts the e-mail application, zie needs to enter the local password. There are other less secure options, all of which (with some partial exceptions) equate to "no security" from the perspective of a security professional. (E.g. relying on the OS to keep the data secure.)
Python does not make encryption available in its "batteries included" philosophy because of the legal problems. M2Crypto is probably the module most often used; see also http://www.amk.ca/python/code/crypto.html
ok, thank you all.
curiosity: what is "zie" intended to mean? It is maybe slang for he/she ?
Ciao,
Riccardo
--
-=Riccardo Galli=-
_,e.
s~ ``
~@. ideralis Programs
.. ol
`**~ http://www.sideralis.net This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Lobang Trader |
last post by:
Hi all,
I am trying to create a username and a password class.
I would like to know what are the RECOMMENDED minimum and maximum length
for both fields?
These fields will be something like this:
private static final int DEFAULT_MINIMUM_LENGTH = ??????
|
by: Oz |
last post by:
New to using databases that are NOT Access. New to MS SQL Server. I'd
like help understanding some concepts.
Firstly, I'd like to know how to connect to a database using MS SQL
Server on a remote web server using Windows XP; I know the IP and have
the username and password to connect...but what program do I use?
Suggestions, appreciated.
Secondly, I'd like to make changes to the remote database - anyone
suggest programs to use?
|
by: pankaj_wolfhunter |
last post by:
Hi,
I need some clearance on the following questions:
1) Does LOAD command updates indexes defined for a table?
2) Is REPLACE option in the LOAD command a logged operation?
Help will be greatly appreciated.
TIA
|
by: Jill Elaine |
last post by:
I am building an Access 2002 frontend with linked tables to an
encrypted Paradox 7 database. When I first create these linked tables,
I'm asked for the password to the encrypted Paradox database, and the
linked tables are successfully created. I use the data from these
linked tables in several forms.
All works great until I close the Access frontend and open it again.
When I try to use the forms, I get an error message: "Could not...
|
by: DDK |
last post by:
I really wish there were some examples explaining how to create a forgot
password email link system when you encrypt a password in a database and use
ASP.NET/C# preferably. Since the password is encrypted in SHA1, I can't
just send a user their password by email. So I'm not sure the best way to
accomplish a forgot password module when the password is encrypted in the
database. I've tried to find info on this but have not found anything...
| |
by: jason |
last post by:
Hello everyone,
I have some general questions about the DataTable object, and how it
works. Moderately new to C#, I have plenty of texts describing the
language, but not so much to reference ADO.NET objects (only the MSDN
help files).
I have written a C# Class Library that is responsible for encapsulating
database information. All the objects work just fine for singleton
record insert, update, select, and delete operations. But now we...
|
by: Adam Carpenter |
last post by:
Hello,
I am having some problems with these functions which are to be part of the
forgotten password system for a website. I am sure it is something simple
but I can't see it. I would be grateful for any help anyone could offer.
The plan is: The users forgets their password so they enter their email
address together with responses to some security questions (currently just
zip/postcode). A random password is generated and, providing...
|
by: rhumphri |
last post by:
I need a javascript that will accept the username "frederic" and the
password "ozanam" on my page "member,html" that will allow those who
input this data to access my page "member2.html".
I had a script that did this but when I updated the page on which it
resided I did not keep a copy of the javascript.
If you can help me with the script and email it to me at
rhumphri@silk.net I would be very grateful.
|
by: =?Utf-8?B?Ymxi?= |
last post by:
I am posting to the general discussion group - but I cannot find my
postings... or replies...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| |
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |