Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Password Encypting 2
- Thread starter ViperInc
- Start date
-
1
- #2
Do a search for 'encryption' on this forum. You will find several answers, including strongms excellent answer (thread222-535644)
________________________________________________________________
If you want to get the best response to a question, please check out FAQ222-2244 first
'People who live in windowed environments shouldn't cast pointers.'
________________________________________________________________
If you want to get the best response to a question, please check out FAQ222-2244 first
'People who live in windowed environments shouldn't cast pointers.'
I am, once again, proposing my HashData solution in thread222-417421.
I always wonder why people don't use this simple function for this purpose. I am not sure about the integrity and security level of the encryption done with this method. But I have used this method successfully in many programs without any problem or security threat. But now I am getting doubtful about the reliability of this method.
I need some experts' advice about this method and its integrity and security level so that I can decide whether should I use this method in future or switch to other methods like MD5 as explained by strognm.
strongm, johnwm, vb5prgmr and others... Please comment...
I always wonder why people don't use this simple function for this purpose. I am not sure about the integrity and security level of the encryption done with this method. But I have used this method successfully in many programs without any problem or security threat. But now I am getting doubtful about the reliability of this method.
I need some experts' advice about this method and its integrity and security level so that I can decide whether should I use this method in future or switch to other methods like MD5 as explained by strognm.
strongm, johnwm, vb5prgmr and others... Please comment...
Hypetia
I have no problems with HashData routine as a hashing routine, and storing hashes instead of encrypted passwords works for me. The reason I pointed to strongm's code rather than yours was that ViperInc asked for encryption rather than hash, so I thought they might want to do more than just password validation.
A good hash routine is probably a better mechanism for password validation than encryption IMHO
![[smile]](/data/assets/smilies/smile.gif "[smile] [smile]")
________________________________________________________________
If you want to get the best response to a question, please check out FAQ222-2244 first
'People who live in windowed environments shouldn't cast pointers.'
I have no problems with HashData routine as a hashing routine, and storing hashes instead of encrypted passwords works for me. The reason I pointed to strongm's code rather than yours was that ViperInc asked for encryption rather than hash, so I thought they might want to do more than just password validation.
A good hash routine is probably a better mechanism for password validation than encryption IMHO
________________________________________________________________
If you want to get the best response to a question, please check out FAQ222-2244 first
'People who live in windowed environments shouldn't cast pointers.'
- Thread starter
- #5
-
1
- #7
Yep, I'd agree that for simple obfuscation a good hash is fine.
The only minor worry that I have is that I have never found a description anywhere of the algorithm used in shlwapi's HashData function. I suspect it is probably MD5, but can't find confirmation of that anywhere
The only minor worry that I have is that I have never found a description anywhere of the algorithm used in shlwapi's HashData function. I suspect it is probably MD5, but can't find confirmation of that anywhere
Yes, the algorithm used behind the HashData function is not publicly open. It is kept secret by Microsoft and I never find a single site explaining the working of this function. In a sense, this confidentiality is also good from the security point of view.
Anyway, thanks for clearing my confusion. Now I can continue to use this function without any security threats or doubts.
Anyway, thanks for clearing my confusion. Now I can continue to use this function without any security threats or doubts.
>In a sense, this confidentiality is also good from the security point of view
Well, see, this is my problem. I'm from the camp that believes that thorough scrutinisation of code used in security is a better policy than keeping things secret.
Well, see, this is my problem. I'm from the camp that believes that thorough scrutinisation of code used in security is a better policy than keeping things secret.
TheVampire
Programmer
Security through obscurity is rarely a good idea.
Robert
Robert
SemperFiDownUnda
Instructor
just a note with these 2 statement by you Hypetia
"I am not sure about the integrity and security level of the encryption done with this method."
"But I have used this method successfully in many programs without any problem or security threat."
If you are not sure about the integrity and security of a system how can you say that there is no security threat? Maybe I'm reading your statement wrong but if you don't understand how secure something is then its hard if not impossible to say that it keeps anything safe.
I'm all for hash routines as encrypting a password does no good if the program that does the encryption and decryption is the same. I can easily pull the algorithm from compiled code and reverse it. But then I'm of the feeling if they have gotten to your database and have access to the encrypted password then its probably to late and the hash password isn't going to help you.
I agree with Strongm. Open source and discussion of encryption and hash routines is better then holding code secret. It just makes it harder to verify there are not HUGE gapping holes in the algorithm. I've seen 64bit key encryption broken in seconds because of weaknesses that I'm sure the original makers didn't actually know where there. Knowing the algorithm for a good hash shouldn't help you any in reversing or weakening it. Agian if you have the code that does the hashing then you can walk through it and see exactly what is happening anyway. That and I don't put it behind MS to put back doors in anything.
"I am not sure about the integrity and security level of the encryption done with this method."
"But I have used this method successfully in many programs without any problem or security threat."
If you are not sure about the integrity and security of a system how can you say that there is no security threat? Maybe I'm reading your statement wrong but if you don't understand how secure something is then its hard if not impossible to say that it keeps anything safe.
I'm all for hash routines as encrypting a password does no good if the program that does the encryption and decryption is the same. I can easily pull the algorithm from compiled code and reverse it. But then I'm of the feeling if they have gotten to your database and have access to the encrypted password then its probably to late and the hash password isn't going to help you.
I agree with Strongm. Open source and discussion of encryption and hash routines is better then holding code secret. It just makes it harder to verify there are not HUGE gapping holes in the algorithm. I've seen 64bit key encryption broken in seconds because of weaknesses that I'm sure the original makers didn't actually know where there. Knowing the algorithm for a good hash shouldn't help you any in reversing or weakening it. Agian if you have the code that does the hashing then you can walk through it and see exactly what is happening anyway. That and I don't put it behind MS to put back doors in anything.
I have used this function in many programs but I had doubts about it due to two major reasons.
1 - The algorithm behind it is undocumented.
2 - I have not seen other programmers encouraging the use of this function(I think, it is due to the same reason that its working is kept secret).
Thats why I was a bit confused and humbly proposed this solution in this thread.
I admit that my view about the secrecy of the algorithm was wrong. strongm, you and Vampire are right as he said:
"Security through obscurity is rarely a good idea"
I appreciate all of you for your expert advice.
Thank you.
1 - The algorithm behind it is undocumented.
2 - I have not seen other programmers encouraging the use of this function(I think, it is due to the same reason that its working is kept secret).
Thats why I was a bit confused and humbly proposed this solution in this thread.
I admit that my view about the secrecy of the algorithm was wrong. strongm, you and Vampire are right as he said:
"Security through obscurity is rarely a good idea"
I appreciate all of you for your expert advice.
Thank you.
- Status
Similar threads
