Solved

Crypting passwords

Posted on 2000-05-15
17
889 Views
Last Modified: 2012-06-21
Hello, I Want to crypt my password, so that nobody can decode this password. When I want to verify for correctly entered password, I must crypt it and compair the crypted password. So my question is, is there API function, that can do this?
0
Comment
Question by:milchew
  • 2
  • 2
  • 2
  • +8
17 Comments
 
LVL 5

Expert Comment

by:TheNeil
ID: 2809911
Why not write your own encrypter/decrypter? Alternatively go to http://www.torry.ru and look for encryption components. As for API calls then I don't think there are any

The Neil =:)
0
 
LVL 7

Accepted Solution

by:
Motaz earned 50 total points
ID: 2809915
See this question: http://www1.experts-exchange.com/bin/Q.10129520

This functions can crypt/decrypt any string:

(**** Cipher function : work as encryption/decryption procedure ***)

function Cipher(Password:string):string;
var
  i:integer;
begin
  RandSeed:=0;  (*** This can be a key ***)
  for i:=1 to Length(Password) do
    Password[i]:=char(Random(255) xor ord(Password[i]));
  Result:=Password;
end;

procedure WritePassword(Password,FileName:string);
var
  F:file;
  i,Len:byte;
  Buf:array [1..100] of char;
begin
  AssignFile(F,FileName);
  Rewrite(F,1);
  Password:=Cipher(Password);
  Len:=Length(Password);
  BlockWrite(F,Len,1);
  for i:=1 to Len do
    Buf[i]:=Password[i];
  BlockWrite(F,Buf,Length(Password));
  CloseFile(F);
end;

function ReadPassword(var Password:string;FileName:string):boolean;
var
  F:file;
  Buf:array [1..100] of char;
  Len,i:byte;
begin
  Result:=false;
  AssignFile(F,FileName);
  FileMode:=0; (*** Read only ***)
  {$i-}
  Reset(F,1);
  {$i+}
  if IOResult<>0 then exit; (*** Error ***)

  BlockRead(F,Len,1);
  BlockRead(F,Buf,Len);
  Password:='';
  for i:=1 to Len do
    Password:=Password+Buf[i];
  Password:=Cipher(Password);
  CloseFile(F);
  Result:=true;
end;

procedure TForm1.Button1Click(Sender: TObject);
var
  Password:string;
begin
  WritePassword('Motaz','c:\1.txt');
  ReadPassword(Password,'c:\1.txt');
  Edit1.Text:=Password;
end;


Motaz
0
 
LVL 1

Expert Comment

by:AttarSoftware
ID: 2809992
It is not recommended that you use the random command in encryption routines, as Borland may change the implementation of it at will...

Just a reminder...

Tim.
0
 
LVL 7

Expert Comment

by:God_Ares
ID: 2810045
>Hello, I Want to crypt my password, so that nobody can decode this password.

imposible!

tips:

1) don't save the passwd in the file

if you do
2) make a checkblock to see if the passwd was alterd..

3) if enterd the same passwd eg. "secret" make shure the encrypted part is NOT the same.

4) hide the passwd by using eg.unnnesssecerrry bytes...

5) use many combinations of encryption
rol
xor
cypher
etc..

6) anti-known password hack
dont let the user give passwd like:
dog
cat
house
none
secret
company name

let them remember passwd like
jHFyrb3765HG*-*f47
*^ufn47JGH  3487rf3IYDFz
or worse!!

7) anti-brute force hack
if you make an interface for checking passwd (eg webbased) make shure you built in a delay... longer than 30 sec.. calculate  nr# combinations * delay > 500 livetimes

8) don't think a user can't hack the passwd

0
 
LVL 9

Expert Comment

by:ITugay
ID: 2810060
hi milchew,
there is the link:

http://www.mers.com/download/unixpass.zip

it's good enought for Interbase and Unix, may be it good for you too;)?


----
Igor
0
 
LVL 7

Expert Comment

by:Motaz
ID: 2810180
There is another way for verifing passwords.

- Instead of saving the password after encryption you can use the password as a key to encrypt a block of data.

- When the user enter a password use it as a key to decrypt this block and check the data, if you get the right data that mean the key is right (Password).

- You can convert the password into Integer value to use it as a key

Motaz
0
 
LVL 2

Expert Comment

by:mullet_attack
ID: 2810253
If you're using NT, there is a whole Crypto API available to you, or there are many 3rd party tools available.

BTW, I like Motaz idea a lot.

0
 
LVL 6

Expert Comment

by:Jaymol
ID: 2810314
Try the TEncrypt component on my site...


http://secretdelphi.cjb.net

It's pretty simple to use.

John.

GOD_ARES :

>>Hello, I Want to crypt my password, so that nobody can decode this password.

>imposible!

Erm....actually POSSIBLE!
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 3

Expert Comment

by:Mathias
ID: 2810356
It is possible to decode every password, but it might take a long time. Another choice is to get the PGP code -> Linux :-)
In this code you can also see how to encoding and decoding works.
0
 
LVL 6

Expert Comment

by:Jaymol
ID: 2810370
Are we talking about something being possible if you live forever?  If not, then this is not possible.  I could encrypt a password and no-one would ever be able to decode it.  There's no discussion about it - you simply don't live long enough!  Think a bit more expansively.

John.
0
 
LVL 1

Expert Comment

by:saulite
ID: 2811763
Listening... Maybe moore methods of Encryption/Decryption?
0
 
LVL 2

Expert Comment

by:Hagen040798
ID: 2812480
Hi

try "Delphi Encryption Compendium" on Delphi Super Page.

SavePasswordStr := THash_MD5.CalcString(Password, nil, fmtHEX);

This converts Your Password with a "Secure One Way" Function. This CAN BE NEVER MORE REVERSE OR DECRYPT, means it's a realy One Way Function. Now, You save "SavePasswordStr" in a File.

On next login do the same, and compare only the Digest's.

understand ?

Best Regards, Hagen

mailto:HaReddmann@AOL.COM
0
 
LVL 7

Expert Comment

by:God_Ares
ID: 2812583
i think it will only be impossible to decode the pass when the time that would be nessesary to let all things in the univers crack the code would be bigger than the total time the universe exists.

but that is impossible...... yet.
0
 
LVL 2

Expert Comment

by:mullet_attack
ID: 2812636
Hagen,

if hacker knows MD5 is in use, then he hashs his own password, and replaces the one saved in the file. Bingo ! he's in...
0
 
LVL 1

Expert Comment

by:saulite
ID: 2812732
And where can we find that THash_MD5 ??
0
 
LVL 2

Expert Comment

by:Hagen040798
ID: 2813307
To God Ares

Yes, MD5 is a 128 Bit Hash, an Attacker must try 2^128 Combinations. with SHA1 are 2^160 !

To mullet attack
Yes, but ALL possible Method, except public Key Cryptography have this "Problem".
In DEC You can use "Hash Message Authentication", short HMAC on RFC2107 Standard, or the "One Time Password" System ("opt", "s/key") Component. These Methods avoid these Attacks. Once more, You can combine a Hash multiple with any strong symmetric Encryption, like

R := THash_MD5.CalcString('Password', TMAC_RFC2107.Create('Password', TCipher_Blowfish.Create('Password', TCipher_IDEA.Create('Username', nil))), fmtHEX);

Above Method is an MD5-HMAC-RFC2107-Blowfish-IDEA(SecondKey). You can concat a randomized Salt and so on, in effect it's this securer as UNIX Login's Method (can restore the Password).

To saulite

Go to Delphi Super Page on "Compression/Encryption", You can find "Cipher.zip", in Unit Hash are all possible One Way function implemented, such as MD4, MD5, SHA, SHA1, RipeMD, Haval, Tiger, Square, Sapphire etc.

Or try www.torry.ru/security.

On both Pages You can find many more cryptographicaly STRONG Encryption, NOT any primitive XOR-Methods. XOR'ing are in most cases ALLWAYS reversible by XOR'ing :-))










0
 
LVL 1

Author Comment

by:milchew
ID: 2815536
It was not what I search, but this idea is very good for me. So, there is a "crypt" command in Unix, and I'm looking for something like this. But what Motaz say is for me good too.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Introduction The parallel port is a very commonly known port, it was widely used to connect a printer to the PC, if you look at the back of your computer, for those who don't have newer computers, there will be a port with 25 pins and a small print…
Have you ever had your Delphi form/application just hanging while waiting for data to load? This is the article to read if you want to learn some things about adding threads for data loading in the background. First, I'll setup a general applica…
This video discusses moving either the default database or any database to a new volume.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now