Password encryption

User, date	Message
Written by ysangkok 1 year ago Category: General 9 posts since Mon, 30 Apr 12	I see that HeidiSQL stores the passwords obfuscated in the registry. I would like to know the encoding scheme, as I want to judge it's security. I know the HeidiSQL source code is available, but it's not commented and I don't know Object Pascal very well.
Written by ysangkok 1 year ago 9 posts since Mon, 30 Apr 12	I made some tests using the portable variant: test2 7C6D7B7C3A8 test 7A6B797A6 tset 787769784 <empty> 4 ~ 802 I don't see much of a system here. Please help.
Written by jfalch 1 year ago 222 posts since Sat, 17 Oct 09	One of the ideas of password encryption IS that you do not see a system in encrypted data (unless using a really weak encryption scheme).
Written by ysangkok 1 year ago 9 posts since Mon, 30 Apr 12	As far as I know, MySQL receives passwords unencrypted/unhashed. How would it be able to hash and verify them with reference if they are already hashed? If someone has a reference on the MySQL protocol authentication system, please provide a link. If HeidiSQL was using a well known encoding algorithm, I presume a Google for 7A6B797A6 (test would be a pretty common input string for demonstrations. Try Googling the MD5 sum for "test") would return results, unless it is encrypted and then encoded using an obscure algorithm. If HeidiSQL is using a home-baked encryption mechanism, I do not really trust it since cryptography is rather hard to do right, and HeidiSQL is an SQL editor, so I presume the author has more knowledge about Object Pascal and GUI designing than cryptography. Even if he had, it would still security through obscurity since the encryption function could be placed in a library to allow testing and peer-review.
Written by kalvaro 1 year ago 440 posts since Thu, 29 Nov 07	I know nothing about Delphi but searching for "password" in the source code finds two obvious spots: http://code.google.com/searchframe#vAQ2aFOo1A4/trunk/source/helpers.pas&q=password%20package:http://heidisql\.googlecode\.com&l=315
Written by ysangkok 1 year ago 9 posts since Mon, 30 Apr 12	Thanks a lot kalvaro, this is exactly what I was looking for, but I didn't find it. I was intimidated by the form manipulation code, which is a lot more incomprehensible to me than this. I like how the salt seems to be stored in the string :P Everything makes sense now :P Like how the empty password wasn't 0 but still seemed to be dependent on the length.
Written by ysangkok 1 year ago 9 posts since Mon, 30 Apr 12	from itertools import zip_longest def grouper(n, iterable, padvalue=None): "grouper(3, 'abcdefg', 'x') --> ('a','b','c'), ('d','e','f'), ('g','x','x')" return zip_longest([iter(iterable)]n, fillvalue=padvalue) def decrypt(s): def bytehandler(x): """ handles a pair of hex nibbles i.e. ("A", "0") """ nr = int("".join(x), 16) - int(s[-1], 16) if nr < 0: nr += 255 return chr(nr) return "".join( map( bytehandler, grouper(2, s[:-1]) # group all nibbles except the last into pairs ) ) str1 = "7A6B797A6" print(decrypt(str1)) BTW the HeidiSQL code initializes result two times, anse
Written by ysangkok 1 year ago 9 posts since Mon, 30 Apr 12	Anyway, I think it's incorrect to call it encryption, as the encryption key is embedded in the encrypted string. I'd call this obfuscation instead.
Written by ansgar 1 year ago 3950 posts since Fri, 07 Apr 06	Yes, helpers:encrypt() and helpers:decrypt() use obfuscation logic. Once I had written them years ago I never cared again about these two functions, as modifying the logic would have broken existing sessions of users. Well, we're not talking about publicly used encrypted strings, these are just for storing on the users harddisk/registry. Although I must admit I'd be glad to have a stronger encryption logic, hohum.
Written by ysangkok 1 year ago 9 posts since Mon, 30 Apr 12	Here are the Pidgin developers take on the issue: http://developer.pidgin.im/wiki/PlainTextPasswords
	Please login to leave a reply, or register at first. Username: Password: Remember me