Hiding Data

[Zen]

I was just wondering how i would store a username and password in my program to connect to a database without people being able to view it in assembley?

I want to be able to store a MySQL username and password in a program i am making but do not wish people to be able to find it. It doesnt matter if its not 100% secure as the data on the server will not be of much use to anyone.

Can this be done without buying some protection software?

Lewis

[Ionic Wind Support Team]

Just encrypt it.   There are many encryption routines out there.  The simplest being an XOR of all the characters with a value.  XORing again with the same value results in the correct password.

MD5 is popular with web based databases.

[Zen]

So do i encrypt it before i enter it into my program, say as a variable.? Then use the encryption routine to decrypt the data?

Lewis

[Ionic Wind Support Team]

Yes.  We don't have data statements yet but even a variable will do.  Say you have an md5 crypt...

password = "a7dg6398g47dgs73"
username = "hgfd73gjdgjs8wokdhq"

connect(unmd5(password), unmd5(username))

Which of course hides it from prying eyes.

[Zen]

He He. Its funny ive just told Joske that MD5 is non reversable, used for fingerprints. I will use RC4 as i have an implementation of that.

Thanks
Lewis

[Parker]

Yes, I was under the impression that MD5 was irreversable too, unless looking through a large database of all possible hashes. But what would happen if somebody sets up a different username and password? Shouldn't the program just load the names from a file? That's what phpBB does and probably most forums, you give it a username and password that work, and it creates all the databases it needs.

[Ionic Wind Support Team]

Of course it is reversable.  Otherwise how would you get the plain text back?

unMD5 would be a function that uses your key to turn the hash back into plain text.

phpBB uses MD5 for the passwords.  The username is stored in plain text in the database.

[Parker]

I made a php file:

Code Select Expand

<?php echo($_GET['str'].'<br>'.md5($_GET['str'])); ?>
and went to the following url:
http://localhost/md5.php?str=Hi there, this is a string used to test the MD5 algorithm. I don't know how it would be recovered, since the string is much longer than 32 characters, the total of an MD5 hash's length.

And the output I got was:

Code Select Expand

Hi there, this is a string used to test the MD5 algorithm. I don't know how it would be recovered, since the string is much longer than 32 characters, the total of an MD5 hash's length.
5bb242e36daa43ae9a354ff9ab49114b

MD5 outputs a fixed length hash, 32 characters, which isn't reversable without using brute force. So that was my point, is that you can't get the text back, but by using another algorithm you can. MD5 is really the only one I've worked with, any others I have no knowledge of. But I do know that MD5 is a hashing algorithm.

http://en.wikipedia.org/wiki/MD5
http://en.wikipedia.org/wiki/Cryptographic_hash_function

[Ionic Wind Support Team]

Your right.  Was thinking of a different crypt algo I was using.

Still MD5 would be good for hiding your data.

[Parker]

Hey, so how come it highlights PHP for us and not Aurora?
I wonder if a C formatting plugin could be modified for this...

[Parker]

It looks like GeSHi can be used with SMF: http://qbnz.com/highlighter/index.php
Here's a forum that uses it, I don't know what language that is though: http://www.simplemachines.pl/smf/index.php?topic=44.new

Maybe it could be modified to allow [ aurora ] tags with its C++ parser, just different keywords.

[Rod]

What I've done in the past, which has worked for my purposes, is to store the username along with the MD5-hash of the password.

To log in, the user enters the username and plain-text password, which my program processes into the MD5-hash, then compares to the stored MD5-hash. If the hash values match, the user entered the correct password and is validated.

There is no need to un-MD5 the password to validate. Naturally, you can't retrieve a lost/forgotten password, but for security purposes, you don't want to do that anyway.

[Parker]

Yes, that's what's generally done for PHP, but when the value is stored in the program, you don't want to tell anyone what it is. But I agree with your idea, and that it should be stored in a file or somewhere else, it makes it easier.