Password encryption

ysangkok posted 5 years ago in General
I see that HeidiSQL stores the passwords obfuscated in the registry. I would like to know the encoding scheme, as I want to judge it's security. I know the HeidiSQL source code is available, but it's not commented and I don't know Object Pascal very well.
ysangkok posted 5 years ago
I made some tests using the portable variant:

test2 7C6D7B7C3A8
test 7A6B797A6
tset 787769784
<empty> 4
~ 802

I don't see much of a system here. Please help.
jfalch posted 5 years ago
One of the ideas of password encryption IS that you do not see a system in encrypted data (unless using a really weak encryption scheme).
ysangkok posted 5 years ago
As far as I know, MySQL receives passwords unencrypted/unhashed. How would it be able to hash and verify them with reference if they are already hashed?

If someone has a reference on the MySQL protocol authentication system, please provide a link.

If HeidiSQL was using a well known encoding algorithm, I presume a Google for 7A6B797A6 (test would be a pretty common input string for demonstrations. Try Googling the MD5 sum for "test") would return results, unless it is encrypted and then encoded using an obscure algorithm. If HeidiSQL is using a home-baked encryption mechanism, I do not really trust it since cryptography is rather hard to do right, and HeidiSQL is an SQL editor, so I presume the author has more knowledge about Object Pascal and GUI designing than cryptography. Even if he had, it would still security through obscurity since the encryption function could be placed in a library to allow testing and peer-review.
kalvaro posted 5 years ago
I know nothing about Delphi but searching for "password" in the source code finds two obvious spots:

ysangkok posted 5 years ago
Thanks a lot kalvaro, this is exactly what I was looking for, but I didn't find it. I was intimidated by the form manipulation code, which is a lot more incomprehensible to me than this.

I like how the salt seems to be stored in the string :P Everything makes sense now :P Like how the empty password wasn't 0 but still seemed to be dependent on the length.
ysangkok posted 5 years ago
from itertools import zip_longest
def grouper(n, iterable, padvalue=None):
"grouper(3, 'abcdefg', 'x') --> ('a','b','c'), ('d','e','f'), ('g','x','x')"
return zip_longest(*[iter(iterable)]*n, fillvalue=padvalue)
def decrypt(s):
def bytehandler(x):
""" handles a pair of hex nibbles i.e. ("A", "0") """
nr = int("".join(x), 16) - int(s[-1], 16)
if nr < 0: nr += 255
return chr(nr)
return "".join(
grouper(2, s[:-1]) # group all nibbles except the last into pairs
str1 = "7A6B797A6"

BTW the HeidiSQL code initializes result two times, anse
ysangkok posted 5 years ago
Anyway, I think it's incorrect to call it encryption, as the encryption key is embedded in the encrypted string. I'd call this obfuscation instead.
ansgar posted 5 years ago
Yes, helpers:encrypt() and helpers:decrypt() use obfuscation logic. Once I had written them years ago I never cared again about these two functions, as modifying the logic would have broken existing sessions of users. Well, we're not talking about publicly used encrypted strings, these are just for storing on the users harddisk/registry. Although I must admit I'd be glad to have a stronger encryption logic, hohum.
ysangkok posted 5 years ago
Here are the Pidgin developers take on the issue: http://developer.pidgin.im/wiki/PlainTextPasswords

Please login to leave a reply, or register at first.