Welcome, Guest
Please Login or Register.    Lost Password?

encrypted user password
(1 viewing) (1) Guest
Go to bottomPage: 1
TOPIC: encrypted user password
#3530
encrypted user password 6 Years, 2 Months ago Karma: 0
Hello,

here is a quick question:

when I create a shortcut to a logged in session of global, I get the command line (values changed/modified/edited):

"C:\Program Files\GO-Global for UNIX v2.2\goglobal_ux.exe" crypt=cSElpEcA/vQumMhbuwK5g8f4fXIrQ+NQ username=xxxxx host=xxxxxx.com transport=ssl launch="CDE on myhost"

my questions is:
what is the encryption method of the "crypt" parameter ?

=> is it a hash-style ? (=not able to decrypt it)
is it secure enough ?
and most of all: how can I generate it by myself ?

(idea is to create a quick portal where users can save their passwords ... obviously: I don't want anyone, including myself, to be able to read plain text passwords... so using the crypt would be great IF there is no way to decrypt it)

Thanks for your help !
jeromejay
Fresh Boarder
Posts: 2
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
#3531
Re:encrypted user password 6 Years, 2 Months ago Karma: 2
jeromejay wrote:
Hello,

here is a quick question:

when I create a shortcut to a logged in session of global, I get the command line (values changed/modified/edited):

"C:\Program Files\GO-Global for UNIX v2.2\goglobal_ux.exe" crypt=cSElpEcA/vQumMhbuwK5g8f4fXIrQ+NQ username=xxxxx host=xxxxxx.com transport=ssl launch="CDE on myhost"

my questions is:
what is the encryption method of the "crypt" parameter ?


The parameter is DES-encrypted using a fixed, embedded "secret" key value in the client.

=> is it a hash-style ? (=not able to decrypt it)


It is not a one-way hash. Since the client needs to be able to decrypt the password to send the plaintext version of it (as though the user were typing it in) during the login process, we could not use a one-way hash function for this purpose.

is it secure enough ?


The design goal was to keep the passwords secure from casual observation. To that end, we believe that it is secure enough. It is probably not cryptographically secure enough to prevent a determined attacker from deriving the password, but we believe that any mechanism that stores the password on the client would be subject to this problem as well.

and most of all: how can I generate it by myself ?


If you still want to do this, knowing that the encryption method is not the strongest, please contact me directly and I will try to assist you.

Thanks,
Troy
troy
Administrator
Posts: 231
graphgraph
User Offline Click here to see the profile of this user
Gender: Male Birthday: 01/14
The administrator has disabled public write access.
 
#3532
Re:encrypted user password 6 Years, 2 Months ago Karma: 0
Thanks a lot for your answer !
=> mail sent directly


note: if you think of any other way to store user credentials that could be more secure, let me know.

Regards,
jeromejay
Fresh Boarder
Posts: 2
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
Go to topPage: 1
Moderators: troy, Andyl