I'm making a program that has a login. Is there any way to encrypt the normal password so that it can't be read in the data base? I've done a trick but I'm not content with it. What I did was to get the first, mid, and last char only and convert each char into ascii. Is there a way to convert all the text into ascii or something like md5/hash in php?
I'm really sorry about this thing, I haven't mentioned that my project is a VB6 project.
Don't use MD5 to store hashed passwords! See stuff like http://www.freerainbowtables.com/ for reasons why. MD5 is thoroughly broken... Check what you have available in VB6 (I'm hardly a VB6 guy ;-)) in the realm of cryptography. Something based on (salted) password-based encryption stuff is what you want, Google for "vb6 pbkdf2", I see a lot of hits there :)
I have been using a class by Phil Fresle for generating MD5 signatures for strings. You can copy and paste the source to create the class. To use it in your application I suggest storing the hash rather than the password. The class source code can be found here.
Related
So I'm working on my own website with my login system.
I am working on the password storing part and have been looking at a couple of youtube videos where peoples tell me not to use things like md5 because it's outdated.
I looked at the video Tom Scott made about how NOT to store passwords and he told us to look up a recent tutorial on how to do it properly.
For my project I really need to store the passwords myself and not use anything like Facebook or Google for logins.
I looked at a lot of websites and questions here on Stack Overflow but can't seem to find anything from this year where it is all explained.
So now I'm wondering what is the best way in 2017 to store passwords?
Do I need to use a Salt and a Pepper? Maybe something else? And which hashing algorithm is the best at this moment? If possible I'd like to use this within php.
Can anyone help me out with these questions?
Thank you :)
I assume that you just want to store passwords for user authentication, and you asked for a PHP solution explicitely, so the answer must be to use the PHP function password_hash(). This function is up to date and handles all the tricky parts of password hashing.
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_DEFAULT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
If you are interested in more indept information, you could have a look at my tutorial about safely storing passwords.
My goal is to actually import thousands of hostname/login/passwords into the sqlite database "signons.sqlite" . The table I believe I need is "moz_logins" .
For me this file is located at ~/.mozilla/RANDOM_STRING.default/signons.sqlite
I'm trying to figure out two things:
1) What is the encryption method used for encryptedUsername and encryptedPassword ?
2) What is the guid column/how are it's values created?
If the answer is somewhere along the lines of "You need to read the source code," that's fine, this task may be bigger than I imagined.
Any help would be appreciated.
Have you looked through http://kb.mozillazine.org/Password_Manager? There's a number of article links in it. The key should be in key3.db behind the master password, if needed. You'll need a way to handle the password.
Have a look at this post about the encryption.
Guid is some kind of unique ID, generated somehow :)
There are some backup/decryption etc programs available. Instead of rtfs of FF, you might have a look at those.
I'm working on implementing DSA digital signature algorithm. I understand the algorithm itself, one thing I don't really understand is how should my message look after it was signed?
For example, I have a text file that I'd like to sign and send to someone else. Where should I put the generated keys for verifying the signature, and how should I parse this message to verify the signature?
PKCS#7 is your friend.
Update: I forgot to mention, that CMS (Cryptographic Message Syntax) is an evolution of PKCS#7.
Eugene's link should answer your question. I will add one thing: Don't expect any actual security from your implementation of DSA. If you want the information secure, use an already-written DSA implementation. When not expertly written, crypto primitives can be terribly insecure.
Is this some kind of encrypted text. If so what is the message? What algorithm do they use to encrypt it.
/wEPDwUKLTg4NzIyNzcwNw9kFgICAw9kFggCAw8PFgIeBFRleHQFD1N1Z2FuIEtyaXNobmFuIWRkAgUPDxYCHwAFATVkZAIHDw8WAh4ISW1hZ2VVcmwFEX4vaW1hZ2VzL0ZpdmUuanBnZGQCDQ8PFgQfAAUOVHJ5IG9uY2UgbW9yZSEeB1Zpc2libGVnZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgEFDEltYWdlQnV0dG9uMbKoXKekKw34NtoM3F7LSsVyk27i
and this one also
/wEWAwKF0NmYAwLs0bLrBgLSwpnTCAezV8kYXyYZ4dulPyQ9ezcN3auX
Maybe; have you tried base64 decoding it, etc?
EDIT: yep, or something close to, as it's not all human readable -- if you let us know the context in which you acquired it, someone might be able to guess the format. Otherwise, we'll be making all sorts of guesses.
ÿ
-887227707ddTextSugan Krishnan!dd5ddImageUrl~/images/Five.jpgdd
Try once more!Visiblegdd_ControlsRequirePostBackKey_ImageButton1²¨\§¤+
ø6ÚÜ^ËJÅr“nâ
(Thanks to this online Base64 decoder).
I am trying to create a ticket for Remote Assistance. Part of that requires creating a PassStub parameter. As of the documentation:
http://msdn.microsoft.com/en-us/library/cc240115(PROT.10).aspx
PassStub: The encrypted novice computer's password string. When the Remote
Assistance Connection String is sent as a file over e-mail, to provide additional security, a
password is used.<16>
In part 16 they detail how to create as PassStub.
In Windows XP and Windows Server 2003, when a password is used, it is encrypted using
PROV_RSA_FULL predefined Cryptographic provider with MD5 hashing and CALG_RC4, the RC4
stream encryption algorithm.
As PassStub looks like this in the file:
PassStub="LK#6Lh*gCmNDpj"
If you want to generate one yourself run msra.exe in Vista or run the Remote Assistance tool in WinXP.
The documentation says this stub is the result of the function CryptEncrypt with the key derived from the password and encrypted with the session id (Those are also in the ticket file).
The problem is that CryptEncrypt produces a binary output way larger than the 15 byte PassStub. Also the PassStub isn't encoding in any way I've seen before.
Some interesting things about the PassStub encoding. After doing statistical analysis the 3rd char is always a one of: !#$&()+-=#^. Only symbols seen everywhere are: *_ . Otherwise the valid characters are 0-9 a-z A-Z. There are a total of 75 valid characters and they are always 15 bytes.
Running msra.exe with the same password always generates a different PassStub, indicating that it is not a direct hash but includes the rasessionid as they say.
Another idea I've had is that it is not the direct result of CryptEncrypt, but a result of the rasessionid in the MD5 hash. In MS-RA (http://msdn.microsoft.com/en-us/library/cc240013(PROT.10).aspx). The "PassStub Novice" is simply hex encoded, and looks to be the right length. The problem is I have no idea how to go from any hash to way the PassStub looks like.
I am curious, have you already:
considered using ISAFEncrypt::EncryptString(bstrEncryptionkey, bstrInputString) as a higher-level alternative to doing all the dirty work directly with CryptEncrypt? (the tlb is in hlpsvc.exe)
looked inside c:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen9.htm (WinXP) to see what is going on when you pick the Save invitation as a file (Advanced) option and provide a password? (feel free to add alert() calls inside OnSave())