Lazarus

Programming => General => Topic started by: daveinhull on January 08, 2019, 02:08:31 pm

Title: Encrypted passowrds
Post by: daveinhull on January 08, 2019, 02:08:31 pm
Hi, before I go too far searching (already done some), I thought I just ask anyone for their thoughts.

My program (as I've been previously discussing) needs to send emails and as such I need to use a password.

My (quick) question is how and where should I store these passwords?

Obviously they need to be encrypted so what is the easiest means to do this, is there a module?

I was also thinking of storing them in the Registry as 1) it would help me learn about accessing the Registry for other things and 2) seems like a good place to store stuff that is needed on a regular basis? I wasn't keen on the idea of an .ini file, but not averse to it.

Thanks
Dave
Title: Re: Encrypted passowrds
Post by: HeavyUser on January 08, 2019, 02:25:51 pm
Quote from: daveinhull on January 08, 2019, 02:08:31 pm
Hi, before I go too far searching (already done some), I thought I just ask anyone for their thoughts.

My program (as I've been previously discussing) needs to send emails and as such I need to use a password.

My (quick) question is how and where should I store these passwords?

Obviously they need to be encrypted so what is the easiest means to do this, is there a module?

I was also thinking of storing them in the Registry as 1) it would help me learn about accessing the Registry for other things and 2) seems like a good place to store stuff that is needed on a regular basis? I wasn't keen on the idea of an .ini file, but not averse to it.

Thanks
Dave
On windows use the credentials manager (ee CredWriteW/CredReadW) https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/authentication-functions#credentials_management_functions on linux I guess gnome Keyring is one of the libraries on macos I have no idea.
Title: Re: Encrypted passowrds
Post by: Pascal on January 08, 2019, 03:52:47 pm
You can also encode/decode the password yourself:
Code: Pascal  [Select][+][-]
  1. uses ..., BlowFish;
  2. ...
  3. function Encode(pValue: String): String;
  4. var
  5.   s: TStringStream;
  6.   e: TBlowFishEncryptStream;
  7.   tmp: String;
  8.   h, l: Byte;
  9.   i: Integer;
  10. begin
  11.   s := TStringStream.Create('');
  12.   e := TBlowFishEncryptStream.Create(GetPasswordHash, s);
  13.   try
  14.     e.WriteAnsiString(pValue);
  15.     tmp := s.DataString;
  16.     Result := '';
  17.     for i := 1 to length(tmp) do begin
  18.       h := Byte(tmp[i]) shr 4;
  19.       l := Byte(tmp[i]) and $0F;
  20.       case h of
  21.         0..9: Result := Result + char(48 + h);
  22.         10..15: Result := Result + char(55 + h);
  23.       end;
  24.       case l of
  25.         0..9: Result := Result + char(48 + l);
  26.         10..15: Result := Result + char(55 + l);
  27.       end;
  28.     end;
  29.   finally
  30.     e.Free;
  31.     s.Free
  32.   end;
  33. end;
  34.  
  35. function Decode(pValue: String): String;
  36. var
  37.   tmp: string;
  38.   s: TStringStream;
  39.   d: TBlowFishDeCryptStream;
  40.   z, h, l: Byte;
  41.   i: Integer;
  42. begin
  43.   Result := '';
  44.   try
  45.     if pValue = '' then
  46.       exit;
  47.     tmp := '';
  48.     i := 1;
  49.     while i < length(pValue) do begin
  50.       z := 0;
  51.       h := Byte(pValue[i]);
  52.       case h of
  53.         65..70: z := h - 55;
  54.         48..57: z := h - 48;
  55.       end;
  56.       z := z shl 4;
  57.       l := Byte(pValue[i+1]);
  58.       case l of
  59.         65..70: z := z + l - 55;
  60.         48..57: z := z + l - 48;
  61.       end;
  62.       tmp := tmp + char(z);
  63.       inc(i, 2);
  64.     end;
  65.     s := TStringStream.Create(tmp);
  66.     d := TBlowFishDeCryptStream.Create(GetPasswordHash, s);
  67.     try
  68.       Result := d.ReadAnsiString;
  69.     finally
  70.       d.Free;
  71.       s.Free;
  72.     end;
  73.   except
  74.     on E: Exception do begin
  75.       Result := '';
  76.       ShowMessage(Format('Fehler in Decode("%s"):'#10'%s',[pValue, E.Message]));
  77.     end;
  78.   end;
  79. end;
  80.  
Title: Re: Encrypted passowrds
Post by: daveinhull on January 08, 2019, 04:09:31 pm
Thanks guys, great start  :D
Title: Re: Encrypted passowrds
Post by: minesadorada on January 08, 2019, 08:32:45 pm
You could use the cryptini component (from OPM) to read/write them from an INI file.
Title: Re: Encrypted passowrds
Post by: Leledumbo on January 12, 2019, 07:56:48 pm
Quote from: daveinhull on January 08, 2019, 02:08:31 pm
My (quick) question is how and where should I store these passwords?

Obviously they need to be encrypted so what is the easiest means to do this, is there a module?
Encrypting a password is a bad idea, the correct method is to hash it so that it can't be recovered, only matched.
Title: Re: Encrypted passowrds
Post by: lucamar on January 12, 2019, 09:01:58 pm
Quote from: Leledumbo on January 12, 2019, 07:56:48 pm
Quote from: daveinhull on January 08, 2019, 02:08:31 pm
My (quick) question is how and where should I store these passwords?

Obviously they need to be encrypted so what is the easiest means to do this, is there a module?
Encrypting a password is a bad idea, the correct method is to hash it so that it can't be recovered, only matched.

Hashing won't do: They're used to access other service so he needs to be able to recover them -

Quote from: daveinhull on January 08, 2019, 02:08:31 pm
My program (as I've been previously discussing) needs to send emails and as such I need to use a password.

My (quick) question is how and where should I store these passwords?
Title: Re: Encrypted passowrds
Post by: Ñuño_Martínez on January 14, 2019, 01:36:51 pm
Quote from: lucamar on January 12, 2019, 09:01:58 pm
Quote from: Leledumbo on January 12, 2019, 07:56:48 pm
Quote from: daveinhull on January 08, 2019, 02:08:31 pm
My (quick) question is how and where should I store these passwords?

Obviously they need to be encrypted so what is the easiest means to do this, is there a module?
Encrypting a password is a bad idea, the correct method is to hash it so that it can't be recovered, only matched.

Hashing won't do: They're used to access other service so he needs to be able to recover them -
But you don't need to recover.  Just store the hash and to check you do: "IF GetHash (Password) = HashedPassword THEN".
Title: Re: Encrypted passowrds
Post by: lucamar on January 14, 2019, 02:58:06 pm
Quote from: Ñuño_Martínez on January 14, 2019, 01:36:51 pm
But you don't need to recover.  Just store the hash and to check you do: "IF GetHash (Password) = HashedPassword THEN".

No. Read the OPs post. He isn't asking the user for a password, he's trying to store passwords the program can use to access other service and he wants to store them securely.

Quote from: daveinhull on January 08, 2019, 02:08:31 pm
My program (as I've been previously discussing) needs to send emails and as such I need to use a password.

My (quick) question is how and where should I store these passwords?

Obviously they need to be encrypted so what is the easiest means to do this, is there a module?
Title: Re: Encrypted passowrds
Post by: Bart on January 14, 2019, 10:23:32 pm
Quote from: lucamar on January 14, 2019, 02:58:06 pm
No. Read the OPs post. He isn't asking the user for a password, he's trying to store passwords the program can use to access other service and he wants to store them securely.

There is no secure way to store password in that context.
If you can decrypt it, then some hacker will also.

Bart
Title: Re: Encrypted passowrds
Post by: lucamar on January 14, 2019, 10:43:40 pm
Quote from: Bart on January 14, 2019, 10:23:32 pm
There is no secure way to store password in that context.
If you can decrypt it, then some hacker will also.

Bart

Of course; it's an arms' race between strong encryption implementors and crackers (not hackers, please). The question is: is it possible to encrypt a passwords vault so that in won't be easily breached today or tomorrow or in the next six months? And the answer is ... yes, probably. It won't deter everyone but it will most. One can't ask for more (even if you work for the CIA :))

Do note that that hashing you're all recomending is also crakable and new hash algorithms are being created to try to avoid that ... with the same results: SHA1 anyone? MD5?
Title: Re: Encrypted passowrds
Post by: garlar27 on January 15, 2019, 12:03:21 am
On PCI standard (https://www.pcisecuritystandards.org/) you might find some advise.
Title: Re: Encrypted passowrds
Post by: Ñuño_Martínez on January 15, 2019, 07:45:38 pm
Quote from: lucamar on January 14, 2019, 02:58:06 pm
No. Read the OPs post. He isn't asking the user for a password, he's trying to store passwords the program can use to access other service and he wants to store them securely.
Oh, I missunderstood.

Quote from: lucamar on January 14, 2019, 10:43:40 pm
(...) crackers (not hackers, please). (...)
Yes.  I'm hacker, not cracker. 8)
TinyPortal © 2005-2018