This is a read-only snapshot of the ComputerCraft forums, taken in April 2020.
Thefdjurt's profile picture

Username Password "Encoder"

Started by Thefdjurt, 18 September 2015 - 10:31 PM
Thefdjurt #1
Posted 19 September 2015 - 12:31 AM
I was thinking about creating an OS and was looking through the OS section when I noticed a large number of complaints on OSs not encoding their users' passwords. So I decided create an encoder (it took me around 2-3 hours to make).
Download with pastebin get 8DpMsXFf encoder
Usage: psst… forgot how to do named spoilers :0
Spoiler

encode(username,password)
-- Do whatever

local w,r=term.write,read
w("--  Registration  --\n")
w("Username: "); local u=r()
w("Password: "); local p=r("*")
if (users.exists(u)) then -- pseudo-code m8 :P/>/>
  error("No, we will not let you go!")
end
local f=io.open("users.txt","a"); f:write(u); f:close()
f=io.open("keys.txt","a"); f:write(encode(u,p)); f:close()
This my first attempt at an encoder and I would imagine that there is some fault in my code; I would appreciate feedback (well any kind of feedback is nice :D/>)
Edited on 18 September 2015 - 11:48 PM
Lego Stax #2
Posted 19 September 2015 - 12:37 AM
For passwords, you always want to hash to increase security. Encryption can be decrypted. Hashing can theoretically not be. I'd use SHA-256 for all of my hashing needs.
Thefdjurt #3
Posted 19 September 2015 - 01:04 AM
Though I was aiming for security, I mostly trying to create something "secure" enough. I know that hashing is theoretically un-hashable however it does not seem efficient enough to me.
If that sounds stupid, it probably is, I am tired.
EDIT: Hashing seems too complex for something like computercraft. Even though it is useful, I feel something like this would be just as effective as SHA-256 if you were to send requests to an external computer (i.e. a server for all the users).
Edited on 18 September 2015 - 11:22 PM
oeed #4
Posted 19 September 2015 - 01:25 AM
Though I was aiming for security, I mostly trying to create something "secure" enough. I know that hashing is theoretically un-hashable however it does not seem efficient enough to me.
If that sounds stupid, it probably is, I am tired.
EDIT: Hashing seems too complex for something like computercraft. Even though it is useful, I feel something like this would be just as effective as SHA-256 if you were to send requests to an external computer (i.e. a server for all the users).
There are libraries available for you to hash easily in Lua. It's certainly not just as effective to use an encrypted string as a hashed string for a password, especially if you're sending it to an external server. It's just not worth the risk at all.
Thefdjurt #5
Posted 19 September 2015 - 01:41 AM
Whoops. By "server" I mean a rednet server. I am trying to achieve security through computercraft itself.
It's certainly not just as effective to use an encrypted string as a hashed string for a password
What makes hashing more effective then encryption? I am utterly curious :/ (I do not know really anything about the two other than their definitions).
oeed #6
Posted 19 September 2015 - 01:48 AM
Whoops. By "server" I mean a rednet server. I am trying to achieve security through computercraft itself.
It's certainly not just as effective to use an encrypted string as a hashed string for a password
What makes hashing more effective then encryption? I am utterly curious :/ (I do not know really anything about the two other than their definitions).

No problem, I was much the same :)/>

Basically hasing is like a one-way street, so when you hash a password it's basically impossible to 'unhash' it. So if my password '1234' is hashed, in to, say 'sjdgfhdfjhsdbgh32437w8eyrfiyfgw3' there's theoretically no way for you to know what my actual password is. The only way to know whether the password is right when you log in, for example, is to hash the user input as well and see if the strings are the same. So if I type in '4321' it will be, say, '769dfbjkr4hnfdhksfuerjherjbhkfd', which isn't the same as the hashed value. If, on the other hand, I type in '1234' and hash it (using the same method as it was originally hashed) it will be the same 'sjdgfhdfjhsdbgh32437w8eyrfiyfgw3' and is equal to the stored value, so it's the same password.

Encrypted on the other hand let's you reverse the string. Graunted, you need a special key, but it is considerably less safe if it's not essential that you are able to read the actual value. So '1234' becomes 'jkb46453h66jbhjhb22kjhbkdjbhksdf2' with the key 'abcd'. If I then unencrypt 'jkb46453h66jbhjhb22kjhbkdjbhksdf2' with the key 'abcd' I will get back '1234'.

Encryption simply makes it possible to get your password in plain text form, which is not at all secure. Now, I have simplified it a little and haven't mentioned things such as salting and rainbow tables, but they're the most essential basics.