Login Register






SMTPMart - Buy Inbox SMTP | Leads | Shell | cPanel 100% Bonus on 1st deposit | Instant Refunds
ProxyByte $2/GB | Residential IPv4 - No Logs - 26M+ IPs - All unblocked
REFUNDING.GG | #1 REFUND SERVICE | SAME DAY REFUNDS | WORLDWIDE ORDERS | GET ITEMS 85% OFF
Thread Rating:
  • 0 Vote(s) - 0 Average


Password Manager V.1 filter_list
Author
Message
ArkPhaze Offline
Posting Freak
Twelve Years of Service
Posts: 1,474
Threads: 91
Reputation: 0

Points: 2NSP
RE: Password Manager V.1 06-03-2013, 08:28 AM #21
(06-03-2013, 07:50 AM)Deque Wrote:
(05-23-2013, 08:35 PM)ArkPhaze Wrote: If I'm understanding this correctly, "mysimplepassphrase" is used for both the encryption and decryption as the key, but for decryption, it checks against the hardcoded plaintext of the master password anyways to see if you have entered the master password as input, itself? :lol:

I would save that checking value as an SHA256 hash or something, then on decryption, check if $sha256_hash(value) is == the hardcoded value if you're going to hardcode anything.

Even better to include some kind of salt on top to add a bit of "zest". (Bake for 20 minutes, and then let stand for 5. lol) Wink

No. The master password is never stored. "mysimplepassphrase" is not used as a key. It is a known plaintext. Not more or less. Let's rename it to "knownplaintext". The only purpose of "knownplaintext" is to know whether the decryption was successful.

Storing a hash like you want to do it, is more insecure and not necessary.

I shall change the pseudocode for more clarity:

This is encrypting:

Code:
masterpass = getUserInput("What is your master password?")

text = "knownplaintext\n" + logindata

encryptedText = text.encrypt(masterpass)

writeToFile(encryptedText)

This is decrypting:

Code:
masterpass = getUserInput("What is your master password?")

decryptedtext = file.decrypt(masterpass)

firstline = decryptedtext.readLine()

if(firstline ==  "knownplaintext") {
   #correct pass was used, because we could successfully decrypt the known plaintext
} else {
   #wrong pass, the text was decrypted to some glibberish
}

Also: SHA is not the best hash algorithm for passwords. There are better ones, which where solely designed for storing password hashes. Example: scrypt (>>link<<)

With the way I read what you posted, hashing the way I mentioned would have been more secure. I didn't get/understand what you originally posted though because this is not the way I imagined it. Smile

scrypt is "for the truly paranoid" though lol. And in places where speed may be a consideration for performance, that's where the scale balances itself out as to what you should use. For one master password, I suppose that's irrelevant.
ArkPhaze
"Object oriented way to get rich? Inheritance"
Getting Started: C/C++ | Common Mistakes
[ Assembly / C++ / .NET / Haskell / J Programmer ]

Reply





Messages In This Thread
Password Manager V.1 - by Ex094 - 05-22-2013, 07:01 PM



Users browsing this thread: 2 Guest(s)