basic encryption and login check issue
|
|
How do I make ,a input password to check if it is the real password that matches the decrypted text using that login function.
something like this:-
string psswd;
cin>> psswd;
if(username=="administrator" && psswd ==login())
what I meant my "pswd==login()" is that, check if the psswd equals to "unencrypted" string in the login function. how to do like that?(min is not working obviously)
closed account (o3hC5Di1)
Hi there,
You have two ways of going about this:
* Only use a hashing function and compare the hashed version of the stored password to the hashed version of the one that was typed.
* Make a separate encrypt() and decrypt() function, which you call as needed.
Generally it's not such a good idea to store passwords encrypted or unhashed as they can be easily used by anyone who has access (legitimate or otherwise) to the file. So I would hash the password once, store it, then compare the hash of any password that is typed during login with the stored hashed password.
So specifically, try to isolate the encryption or hashing from the login function by creating a separate encrypt() function, then you'll be able to use it in the login() function as well as when storing your encrypted password.
Hope that makes sense.
All the best,
NwN
You have two ways of going about this:
* Only use a hashing function and compare the hashed version of the stored password to the hashed version of the one that was typed.
* Make a separate encrypt() and decrypt() function, which you call as needed.
Generally it's not such a good idea to store passwords encrypted or unhashed as they can be easily used by anyone who has access (legitimate or otherwise) to the file. So I would hash the password once, store it, then compare the hash of any password that is typed during login with the stored hashed password.
So specifically, try to isolate the encryption or hashing from the login function by creating a separate encrypt() function, then you'll be able to use it in the login() function as well as when storing your encrypted password.
Hope that makes sense.
All the best,
NwN
Last edited on
I have not done alot with c++ on the subject of security BUT done a ton with PHP it all comes to the same NEVER store sensitive things like passwords, CC Numbers Un encrypted also good idea to seperate them onto seperate databases just to limit how much somone could get IF they got access to one.
Usualy the best is to encrypt somthing to a large size Say 15 chars long
then limit the user input to say 10 chars long.
After that take the user input and use the same encryption method as the first time the password was set to a 15 char string and compare it to the string in the database.
Reason for limiting there input to 10 or just under your encrypted hash is no matter what they can never guess the encrypted hash you have stored just because the input exceeds the limit also they will never be able to guess how large the string is that you are comparing it to.
Wich that was the first method NwN mentioned just a step further.
Usualy the best is to encrypt somthing to a large size Say 15 chars long
then limit the user input to say 10 chars long.
After that take the user input and use the same encryption method as the first time the password was set to a 15 char string and compare it to the string in the database.
Reason for limiting there input to 10 or just under your encrypted hash is no matter what they can never guess the encrypted hash you have stored just because the input exceeds the limit also they will never be able to guess how large the string is that you are comparing it to.
Wich that was the first method NwN mentioned just a step further.
closed account (o3hC5Di1)
Just a small addition here, we need to distinct encryption from cryptographic hashing.
Encryption means that you are basically obfuscating your data, but allow for a reverse process (decryption).
Cryptographic hashing (the method bmiller and myself are advising) is when you create a hash according to a certain algorithm (md5, sha, ...) which cannot be undone. The hash will always be the same if you feed the algorithm the exact same input ( in this case, the hash will be the same for the stored password and the typed one, if they are the same), but never the same otherwise. Rule of thumb, if you need to recover the original, use encryption, if you merely want to store a value but there's no need to recover the original value, hash it. This is why most websites don't offer you the possibility to request your password when you lost it. They store only hashes, not encryptions because that would leave the option open to an attacker to gain access to the actual passwords. By hashing them, attackers need to brute force, which takes a lot more time and resources usually.
Just so we don't get ourselves confused it's probably best to distinguish the two terms.
All the best,
NwN
Encryption means that you are basically obfuscating your data, but allow for a reverse process (decryption).
Cryptographic hashing (the method bmiller and myself are advising) is when you create a hash according to a certain algorithm (md5, sha, ...) which cannot be undone. The hash will always be the same if you feed the algorithm the exact same input ( in this case, the hash will be the same for the stored password and the typed one, if they are the same), but never the same otherwise. Rule of thumb, if you need to recover the original, use encryption, if you merely want to store a value but there's no need to recover the original value, hash it. This is why most websites don't offer you the possibility to request your password when you lost it. They store only hashes, not encryptions because that would leave the option open to an attacker to gain access to the actual passwords. By hashing them, attackers need to brute force, which takes a lot more time and resources usually.
Just so we don't get ourselves confused it's probably best to distinguish the two terms.
All the best,
NwN
I have no idea what you people are talking about. can someone give me an actual code?
I do not know how to store password in a separate file. I prefer this simpler way
I do not know how to store password in a separate file. I prefer this simpler way
Last edited on
closed account (o3hC5Di1)
Hi there,
If you would like to have the password in the actual code, this is called hard coded
This is usually not advised as debuggers or decompilers can pick up this password as it is just another variable.
However, for your learning purposes, it's probably not an issue.
What you will need is to capture the password as a string (or as a char array) .
Getting a string from std::cin is described here: http://cplusplus.com/doc/tutorial/basic_io/#cin_strings
Then you perform your encryption on that string, and check if that matches the encrypted string you have typed in the code.
Does that makes sense?
I'd rather not give you an actual code right now because that would be pretty much giving you the solution, just figure out how to get the string from std::cin and the rest I think you already know.
Hope that helps.
All the best,
NwN
If you would like to have the password in the actual code, this is called hard coded
This is usually not advised as debuggers or decompilers can pick up this password as it is just another variable.
However, for your learning purposes, it's probably not an issue.
What you will need is to capture the password as a string (or as a char array) .
Getting a string from std::cin is described here: http://cplusplus.com/doc/tutorial/basic_io/#cin_strings
Then you perform your encryption on that string, and check if that matches the encrypted string you have typed in the code.
Does that makes sense?
I'd rather not give you an actual code right now because that would be pretty much giving you the solution, just figure out how to get the string from std::cin and the rest I think you already know.
Hope that helps.
All the best,
NwN
thanks. This is a part of a bigger project. I know what I have to do. But can't do it ,that is the problem :p
closed account (o3hC5Di1)
Well give it your best shot based on what I mentioned above and get back to us with what you came up with.
We're happy to help you along, but we won't do the work for you :)
All the best,
NwN
We're happy to help you along, but we won't do the work for you :)
All the best,
NwN
I have found the answer from somewhere else. that one explained what to do exactly & very clearly. so I coded it. now ok. thanks for trying to help all .
Topic archived. No new replies allowed.