[try Beta version]
Not logged in

 
Password program

Mar 8, 2009 at 5:16pm
Hazer (38)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
 
#include <iostream>
#include <conio.h>
using namespace std;
int main(){
int i=0;
char password[50]="";
string str="secret";
char ch;

while(1){
ch=getch();
if(ch=='\b'){
cout <<"\b \b"; if (i>0){password[i--]='\0';} }
else if (ch=='\n'|ch=='\r') {password[i]='\0'; break;}
else {password[i]=ch; i++; cout <<"*";} 
}

if (password==str){cout <<"\n correct";}
else {cout <<"wrong";}
return 0;
}
Edit & Run

please test it. It should work perfectly. Also please check it using curses.h instead of conio.h
Last edited on Mar 8, 2009 at 5:17pm
Mar 9, 2009 at 4:25pm
Hazer (38)
Hmm... any comments?
Mar 9, 2009 at 10:55pm
eker676 (427)
Spread things out a little more. Put everything on its own line.
Mar 12, 2009 at 12:29am
jsmith (5804)
Well, why can't you test it?

What are you looking for?

The obvious security holes are:
1) keystrokes are echoed to the screen;
2) there is a simple buffer overflow attack if the user types more than 50 characters
3) the password is stored in plaintext in the executable;
4) the password comparison aborts at the first mismatch rather than comparing all characters (this is a subtle flaw, but nonetheless one that was exploited many years ago)
5) the password entered by the user is stored in plaintext in memory (another subtle flaw, but again one that was exploited many years ago);

Mar 13, 2009 at 2:31pm
n4nature (245)
>> 4) the password comparison aborts at the first mismatch rather than comparing all characters (this is a subtle flaw, but nonetheless one that was exploited many years ago)

Isn't that more efficient? The very first mismatch, means the password is incorrect, and don't compare any further?

>> 5) the password entered by the user is stored in plaintext in memory (another subtle flaw, but again one that was exploited many years ago);

Are you indicating some kind of encryption? Is it because other parts of the program cannot read it?
Mar 13, 2009 at 6:22pm
jsmith (5804)

Isn't that more efficient? The very first mismatch, means the password is incorrect, and don't compare any further?


Yes and no.

Yes, technically speaking it will be a few nanoseconds faster. In reality, unless your password is many megabytes long, the speed difference won't even be measurable at the software level.

Nonetheless it is a security hole to compare only up to the point of failure.
Assuming passwords can have only [a-zA-Z0-9] for simplicity's sake, that's 62 different characters. A password of length N then has 62^N possible values. This quickly becomes impossible to brute force.

However, by comparing only up to the point of mismatch, I can, with some good engineering, write a program that requires at most 62*N (yes, 62 *times* N) guesses before it gets the correct password.


Mar 13, 2009 at 11:51pm
firedraco (6243)
Also, if the password is stored as plaintext in memory, someone could easily just run a debugger and look at the password in memory. So yes, you definitely should encrypt it.
Topic archived. No new replies allowed.