Password encryption
I see that HeidiSQL stores the passwords obfuscated in the registry. I would like to know the encoding scheme, as I want to judge it's security. I know the HeidiSQL source code is available, but it's not commented and I don't know Object Pascal very well.
As far as I know, MySQL receives passwords unencrypted/unhashed. How would it be able to hash and verify them with reference if they are already hashed?
If someone has a reference on the MySQL protocol authentication system, please provide a link.
If HeidiSQL was using a well known encoding algorithm, I presume a Google for 7A6B797A6 (test would be a pretty common input string for demonstrations. Try Googling the MD5 sum for "test") would return results, unless it is encrypted and then encoded using an obscure algorithm. If HeidiSQL is using a home-baked encryption mechanism, I do not really trust it since cryptography is rather hard to do right, and HeidiSQL is an SQL editor, so I presume the author has more knowledge about Object Pascal and GUI designing than cryptography. Even if he had, it would still security through obscurity since the encryption function could be placed in a library to allow testing and peer-review.
If someone has a reference on the MySQL protocol authentication system, please provide a link.
If HeidiSQL was using a well known encoding algorithm, I presume a Google for 7A6B797A6 (test would be a pretty common input string for demonstrations. Try Googling the MD5 sum for "test") would return results, unless it is encrypted and then encoded using an obscure algorithm. If HeidiSQL is using a home-baked encryption mechanism, I do not really trust it since cryptography is rather hard to do right, and HeidiSQL is an SQL editor, so I presume the author has more knowledge about Object Pascal and GUI designing than cryptography. Even if he had, it would still security through obscurity since the encryption function could be placed in a library to allow testing and peer-review.
I know nothing about Delphi but searching for "password" in the source code finds two obvious spots:
http://code.google.com/searchframe#vAQ2aFOo1A4/trunk/source/helpers.pas&q=password%20package:http://heidisql\.googlecode\.com&l=315
http://code.google.com/searchframe#vAQ2aFOo1A4/trunk/source/helpers.pas&q=password%20package:http://heidisql\.googlecode\.com&l=315
Thanks a lot kalvaro, this is exactly what I was looking for, but I didn't find it. I was intimidated by the form manipulation code, which is a lot more incomprehensible to me than this.
I like how the salt seems to be stored in the string :P Everything makes sense now :P Like how the empty password wasn't 0 but still seemed to be dependent on the length.
I like how the salt seems to be stored in the string :P Everything makes sense now :P Like how the empty password wasn't 0 but still seemed to be dependent on the length.
from itertools import zip_longest
def grouper(n, iterable, padvalue=None):
"grouper(3, 'abcdefg', 'x') --> ('a','b','c'), ('d','e','f'), ('g','x','x')"
return zip_longest(*[iter(iterable)]*n, fillvalue=padvalue)
def decrypt(s):
def bytehandler(x):
""" handles a pair of hex nibbles i.e. ("A", "0") """
nr = int("".join(x), 16) - int(s[-1], 16)
if nr < 0: nr += 255
return chr(nr)
return "".join(
map(
bytehandler,
grouper(2, s[:-1]) # group all nibbles except the last into pairs
)
)
str1 = "7A6B797A6"
print(decrypt(str1))
BTW the HeidiSQL code initializes result two times, anse
Yes, helpers:encrypt() and helpers:decrypt() use obfuscation logic. Once I had written them years ago I never cared again about these two functions, as modifying the logic would have broken existing sessions of users. Well, we're not talking about publicly used encrypted strings, these are just for storing on the users harddisk/registry. Although I must admit I'd be glad to have a stronger encryption logic, hohum.
Here are the Pidgin developers take on the issue: http://developer.pidgin.im/wiki/PlainTextPasswords
Please login to leave a reply, or register at first.