patterncppModerate
Simple password encryption / decryption
Viewed 0 times
encryptionsimpledecryptionpassword
Problem
I'm working on a simple data storing program for my senior year (Secondary School / Grade 12), and there is a user sign-in functionality I've decided to implement. The way I've done this is by storing the usernames and passwords in a text file. They are stored as follows:
The usernames, I've decided to leave as plain text, as is decided by the user upon registration. The passwords however, I've decided to encrypt by inserting a special character ( '/' , '?' , ':', ...) between each of the characters entered by the user. This is simple to code as I've done:
For the time being, I've decided to only use on of the special characters to figure out the decryption mechanism. So, using
The above code, takes in the password from the file, and scans for the number 4 (explained in the comment above); if the current number is not 4, it stores its
There are drawbacks of this, mentioned at the bottom.
The verification mechanism for this system is as:
```
...
__int64 dy=0;
...
userName password
userName password
...The usernames, I've decided to leave as plain text, as is decided by the user upon registration. The passwords however, I've decided to encrypt by inserting a special character ( '/' , '?' , ':', ...) between each of the characters entered by the user. This is simple to code as I've done:
// password is passed to the function as a string parameter
fstream writer;
writer.open("database.txt", ios::app);
int separators[16];
for (int i = 0; i < 16; i++)
{
int randomi = rand() % (47 - 33 + 1) + 33;
separators[i] = randomi;
}
for (int j = 0; j < password.length(); j++)
{
int randomIndex = rand() % 6;
writer << (int)password[j] << separators[randomIndex];
}
writer << "\n";For the time being, I've decided to only use on of the special characters to figure out the decryption mechanism. So, using
'/' as the special character, the following is my decryption code: ...
__int64 l=0;
...
for (int i = 0; i 4) //greater than 4 as the ASCII values of alphabets are above 50
{
l = l * 10;
l = l + (a[i] - 48); //yields the int value from the ASCII number.
l = l * 10;
l = l + (a[i + 1] - 48);
}
}The above code, takes in the password from the file, and scans for the number 4 (explained in the comment above); if the current number is not 4, it stores its
int value in a variable called l. (Pardon the insignificant naming please), and does the same for the next letter, before incrementing i by 2, as the special character's ASCII value is 2 numbers.There are drawbacks of this, mentioned at the bottom.
The verification mechanism for this system is as:
```
...
__int64 dy=0;
...
Solution
What I'd like from you guys, is pretty much to judge the system, and maybe if someone will, post an estimate as to how hard this system would be to crack
For a professional cryptographer (which I am not), it would be very easy to crack, due to the following factors:
There are probably other factors making the code easy to crack, but as I said, I am not a crptographer.
(given that the special characters will be random), and if there are more efficient ways to go about making this system more secure. (I might decided to encrypt usernames as well).
You are looking at a problem with a "yes/no" answer (i.e. you need to check that the data is the same, not use decrpyted data in more complex computations), you should consider a one-way hash.
The idea is to construct an ireversible function, (irreversible = "given x, f(x) is easy to compute, but given f(x) it is difficult/impossible to compute x").
Using a one-way function in your case:
To encode the password, you apply the function.
To check the password, you ask for user input, you apply the function on the input, then compare the result with the already computed value (the one you need to verify).
This will (theoretically) allow you to make an algorithm that is not required to be reversible for checking the data.
As a rule of thumb though, security code is notoriously hard to get right. Consider:
For a professional cryptographer (which I am not), it would be very easy to crack, due to the following factors:
- the system relies on
rand(randis not really safe for cryptographic code; consider using a mersene twister, like mt19937).
- the algorithm has low entropy, meaning it is easy to brute-force it, using a password dictionary.
- considering your decryption algorithm is deducing the key from the data itself, a hacker could do the same.
There are probably other factors making the code easy to crack, but as I said, I am not a crptographer.
(given that the special characters will be random), and if there are more efficient ways to go about making this system more secure. (I might decided to encrypt usernames as well).
You are looking at a problem with a "yes/no" answer (i.e. you need to check that the data is the same, not use decrpyted data in more complex computations), you should consider a one-way hash.
The idea is to construct an ireversible function, (irreversible = "given x, f(x) is easy to compute, but given f(x) it is difficult/impossible to compute x").
Using a one-way function in your case:
To encode the password, you apply the function.
To check the password, you ask for user input, you apply the function on the input, then compare the result with the already computed value (the one you need to verify).
This will (theoretically) allow you to make an algorithm that is not required to be reversible for checking the data.
As a rule of thumb though, security code is notoriously hard to get right. Consider:
- using third party solutions (like CryptoPP or OpenSSL)
- using known solutions (OpenSSL, PGP/GPG)
- implementing known cryptographic algorithms (look up symetric encryption, asymetric encryption, commercial hash functions and algorithms)
Context
StackExchange Code Review Q#67322, answer score: 11
Revisions (0)
No revisions yet.