LoganDark's Password Lock System

I have no code to show here. Existing computers running my password lock will continue to function but will not show they are running my system.

new post here

This is all great but…

LoganDark, on 07 December 2015 - 02:39 AM said:

Password is encrypted using secret code

#-- Don't concentrate intensely on figuring out how the encryption system works. It's simple but complicated.

It's not complicated at all, putting your encrypted password in the code() function will give you the original…
Would be better using an actual one-way function like SHA256 for storing passwords.

The system also does not work, my correct password doesn't unlock the computer.
You can terminate it with ctrl+t despite you saying it can't.
Did you try your program before posting it?

The startup file also runs a pastebin link, which you can edit, and possibly replace with a virus or backdoor.
Edit: Seems you prefer editing your post rather than replying to the thread, here's my answer.
Rolling out patches like this seems like a good idea in theory, but for a password lock, security comes before convenience, you can't have the two at the same time.
Since you put your name in there, you can easily identify who uses your lock, the possibility for you to change the code and put a backdoor in to break into someones computer after rebooting is very real.
It might not be your intentions to do that, but directly running external code that can be modified without notice, I wouldn't put my trust into that.

Removed, because the errors have been fixed.

LoganDark, on 07 December 2015 - 06:07 PM said:

Edit: Luca0208, please remove your post. I do not like people looking to publish a hack for my system. Please only post issues, not how to hack my system.

Fix it, then you don't longer have the problem. And no you don't need to decrypt something. I recommend you to do this:

There is a SHA API on the forums. If you can't find it, here is one. (This is the one forums, not by me.)

By the way, figuring out the wat to hack the system can be done by looking at the code. The only way to prevent this is by hashing passwords.

Luca0208, shortened/redirecting URLs are not allowed, please post a link to the ultimate destination when linking things.

A true one-way hash creates the same output for the same input; different output for different input; and doesn't need to be reversed if implemented properly, simply compare the hashed outputs.

LoganDark, on 07 December 2015 - 06:07 PM said:

Edit: Luca0208, please remove your post. I do not like people looking to publish a hack for my system. Please only post issues, not how to hack my system.

Response to a hack: A way to hack a system is an issue, a major one actually.

EDIT: you're coding is simple rot 13 it seems, but for numbers it is in reverse order, this is way too easy to crack the password from the file (besides disk startup IMO ruins the idea of password locks).
EDIT 2: direct pastebin link for his program: http://pastebin.com/qKcNunWN
EDIT 3: also you're free to use the snippet of the java hashcode function found here: http://pastebin.com/duwcL34w
EDIT 4: also there's free hosting out there (such as google app engine)

Exactly. You have my respect, sir!

That's the thing, if you don't have a sense for security, you shouldn't do security at all.
Yes a password lock is a great beginner thing to write, but posting it on the forum with the label "Cannot be terminated, encrypted with secret code" when these statement are just false is just…

Now I did not say that you're bad and you should quit, not at all, all I did is point out potential security issues in hope to enlighten potential users looking for a good password lock.

Fact is that most people playing with CC plays on a server that provides some kind of claim security that prevents other player from placing blocks and thus bypassing protections.
In that case preventing termination is good enough, you could store the password unaltered if you so desire.
The reason why most of the people are using un-reversible hashes like SHA2 is mostly for prevention in case you forgot to re-lock your computer, and someone sneaks up and learns your password in hope you re-use the same in other places.

You also say that were dumbasses who can't undertand that your security can always be reverse engineered.
But what you don't understand is that we've been suggesting you to use something like SHA2 instead, which is used for real-world application, and is made hard, even impossible to reverse.

No code to show, locked.

Threads merged and re-opened.

I haven't tested it, but I did see one thing in your code that I'd recommend doing differently.

On line 189 you set os.pullEvent = os.pullEventRaw but you don't backup os.pullEvent or restore it when the script is done. This will disable CTRL-T for everything on that computer until a restart (which will run your login and disable CTRL-T again).

I'd recommend doing the following. On line 189 backup os.pullEvent before pointing it os.pullEventRaw…

local oldPullEvent = os.pullEvent
os.pullEvent = os.pullEventRaw

Then at the end of your code, restore os.pullEvent so the computer operates as expected…

os.pullEvent = oldPullEvent

Dog, on 09 December 2015 - 05:23 AM said:

I haven't tested it, but I did see one thing in your code that I'd recommend doing differently.

On line 189 you set os.pullEvent = os.pullEventRaw but you don't backup os.pullEvent or restore it when the script is done. This will disable CTRL-T for everything on that computer until a restart (which will run your login and disable CTRL-T again).

I'd recommend doing the following. On line 189 backup os.pullEvent before pointing it os.pullEventRaw…

local oldPullEvent = os.pullEvent
os.pullEvent = os.pullEventRaw

Then at the end of your code, restore os.pullEvent so the computer operates as expected…

os.pullEvent = oldPullEvent

Oh, sorry. I seem to have forgotten the fact that the os.pullEvent is global. Silly me, fixed. Restarting the computer will apply the patch.

Also, not to be rude or anything, but you do not have to provide a method to restore it. I can figure things out on my own.

P.S. You did not offend me, what I have written may suggest you have.

Next time, try to explain to me how to use the algorithm. I'm not good at figuring things out unless you point out that I need to.

If I were you, I'd interpret it as "Make your lock worthy of being used by the community." Don't take it as an insult.

LoganDark, on 13 December 2015 - 10:38 PM said:

Anavrins, on 08 December 2015 - 04:20 AM said:

… in hope to enlighten potential users looking for a good password lock …

So you're saying users should detour from my password lock and find another one that's "better"?

That's you saying I'm bad and I should quit.

You offended me deeply…

I'm sorry that you get easily offended by criticism, I wrote a whole paragraph trying to make it as much constructive as possible.
What I mean by that is I wanted to notice users that your code didn't have any protections against termination, despite you stating it did, (it does now, but not in your first version).
Of course nobody is going to want a security system that's bypassable in the simplest of ways.

LoganDark, on 14 December 2015 - 03:52 AM said:

You could've just told me what to improve and what to add, but instead, you chose to offend me…

Told you to add what?
Not only did you put the anti-termination by yourself later, but you also stated in your thread that it was already not terminatable, so clearly you knew what to do.

I'm done talking to you, I've been trying to be pacifist the whole way, even wished you good luck in that PM I sent you, but you seem to be dramatizing each and every sentence I make.

Dude, I'm sorry. I forgot to add the termination, but thought I added it.

I'm not trying to offend you, I'm not saying what you're doing is wrong, I'm just saying you offended me by accident.

I overreact easily…

LoganDark, on 14 December 2015 - 03:52 AM said:

you chose to offend me…

LoganDark, on 14 December 2015 - 06:58 AM said:

you offended me by accident.

I'm not sure anymore…

But anyways, the lock looks great now :)/>
About sha512, nobody has implemented it in CC yet, and sha256 is just as secure.
It's also much slower than sha256.

Anavrins, on 14 December 2015 - 07:58 AM said:

I'm not sure anymore…

I'm sorry.

No feedback?

Just tested it on an advanced computer. I think the only gripe I can make about it is that it's unpolished. It functions exactly as it should, but I feel it looks a bit bare. Also, it would be a bit better if you shortened the sleep() calls after a successful password entry.

Oh, and in MY password lock, you can have multiple passwords by doing string.find() on the whole password file, where each password is separated by a newline! Like, in case you have your super secret password used on that lock and you don't want your roommate to know it.

amnt = 10 --amount of 'heh's
write("Nyeh ") --header. not counted in amnt
for a = 1, amnt do
	write("heh")
	if a ~= amnt then --to make sure that there is proper spacing
		write(" ")
	else
		write("!!!!") --end punctuation
	end
end

I'm going to try adding compatibility for multiple passwords.

I'm going to try recoding the entire thing.

http://pastebin.com/qKcNunWN
Is this a backdoor I see at line 262?

Anavrins, on 07 December 2015 - 04:59 AM said:

The startup file also runs a pastebin link, which you can edit, and possibly replace with a virus or backdoor.

Anavrins, on 13 January 2016 - 07:51 PM said:

http://pastebin.com/qKcNunWN
Is this a backdoor I see at line 262?

Anavrins, on 07 December 2015 - 04:59 AM said:

The startup file also runs a pastebin link, which you can edit, and possibly replace with a virus or backdoor.

Yes it is.

Now just about no one will probably be using your code if they know that you have a way into their computer if you so desire. There is no POSSIBLE reason why someone would use your code if they're gonna be in the same server as you. The ability to unlock a 'secure' lock with a backdoor is contradictory towards the point of the lock in the first place. More than likely, in your code's current state, you'll probably be getting just about 0 downloads of your code for an actual use.

Most people would look elsewhere on the forums to find a more secure lock. I mean hell, I made one a long time ago, was just a door lock really, sha256, multiple users. Wasn't hard to implement, however I never decided to put in a back door because why do it. There is literally no reason for you to have a back door into a program that you're not going to run yourself.

If someone were to figure out your "super secret password" your lock would be finished, that person wouldn't have to disclose that they knew it, AND they'd be able to get into anyone's computer that uses your lock.

Knowing what the hash result is, it wouldn't take me long to write up a brute force. Probably wouldn't take it long to figure it out too.

It's for debugging. I added that in recently to combat the problem of bugs. If someone found a bug with their password but won't tell me, I need a way in without bugging them. If someone forgot their password I'd need a way in as well.

I'll put up a poll.

Edit: Reply stating your opinion, and I'll consider removing it.

Edit 2: You have a good point, I'll remove it immediately

Luckily, all affected computers can be restarted to apply the change. Now do you understand why I made the loader load from pastebin?

Dragon53535, on 13 January 2016 - 08:36 PM said:

-snip-

Knowing what the hash result is, it wouldn't take me long to write up a brute force. Probably wouldn't take it long to figure it out too.

You don't know how long that is.

LoganDarkthisisalongpassword

Crappy password but without logic, very hard to crack

Surprisingly enough, I happen to be in very close contact with him. I'll make sure he removes it, and it DOES get annoying because he managed to use it to hack into my computer about 100 times, EVEN when I told him not to. Naughty naughty…

EDIT: I realized that he removed the secret password that he told me, so there should be no reason to be able to hack into the computers I use.

BEFORE you use this comment against him, read the spoiler below:

Spoiler

You cannot use this as a thing against him, he was playing a practical joke, even after I asked him not to, and that's what friends do.

:mellow:/>

Here's a good test to see if a lock is good: see if you can lock yourself out completely.

LoganDark, on 14 January 2016 - 01:03 AM said:

Sorry, content creeper'd

Do'h. Failed.

Famous5000, on 14 January 2016 - 12:35 AM said:

You cannot use this as a thing against him, he was playing a practical joke, even after I asked him not to, and that's what friends do.

A practical joke which is also practical for actually bypassing, for malicious intent, even though it's not his goal.
What he could've done is send you a private version instead of the public one.

But hey, can't blame me, I warned you about it since my first post.

Anavrins, on 07 December 2015 - 04:59 AM said:

The startup file also runs a pastebin link, which you can edit, and possibly replace with a virus or backdoor.

Anavrins, on 14 January 2016 - 01:17 AM said:

Famous5000, on 14 January 2016 - 12:35 AM said:

You cannot use this as a thing against him, he was playing a practical joke, even after I asked him not to, and that's what friends do.

A practical joke which is also practical for actually bypassing, for malicious intent, even though it's not his goal.
What he could've done is send you a version that is not from the forum thread.

But hey, can't blame me, I warned you about it since my first post.

Anavrins, on 07 December 2015 - 04:59 AM said:

The startup file also runs a pastebin link, which you can edit, and possibly replace with a virus or backdoor.

I will note that he did NOT warn me and shown me this post before he told me about it and let me install it on my computers.
Turns out that was a mistake before he removed the backdoor, or whatever it's called.

LoganDark, on 13 January 2016 - 11:12 PM said:

Crappy password but without logic, very hard to crack

Not hard, time consuming. with your password you have 52^28 different possibilities at that length, and that's without symbols or spaces. Running my brute force that I was using, I was implementing symbols into it, so it would of taken 93^28 possible permutations until it found your password. running it now, it's still going to take a long time. So I guess we'll see.
Running the brute force I made, I'm at 5 digits with only capital and lowercase letters. It still will take the computer over 52^27 permutations to get your password. Given what I've been using to actually do so, making it count up in digits amount, it's actually more of 53^28 - 1 permutations.

Dragon53535, on 14 January 2016 - 10:17 AM said:

LoganDark, on 13 January 2016 - 11:12 PM said:

Crappy password but without logic, very hard to crack

Running the brute force I made, I'm at 5 digits with only capital and lowercase…

You are desperately trying to crack a password that isn't there anymore.
You'd be better off trying a dictionary attack before anything else, otherwise you're wasting time and power.

Anavrins, on 14 January 2016 - 06:15 PM said:

You are desperately trying to crack a password that isn't there anymore.
You'd be better off trying a dictionary attack before anything else, otherwise you're wasting time and power.

A dictionary attack wouldn't work with the password he's already provided. A dictionary attack is easily defeated anyways by a password that differs from the norm as well as salting. I already know that it will take a long time to crack the known password. But I find it a fun exercise to attempt it anyways.

LoganDark, on 13 January 2016 - 11:01 PM said:

Now do you understand why I made the loader load from pastebin?

Sorry, not at all. If you wouldn't have that pastebin thing there, you wouldn't have been able to put a backdoor in, which would've saved you a lot of trouble, because I won't trust you anymore, we don't know if you really just put the backdoor in for debugging, you could also put it back in and I want my computer 100% Save, not having to trust ANYONE.

Luca_S, on 14 January 2016 - 08:44 PM said:

LoganDark, on 13 January 2016 - 11:01 PM said:

Now do you understand why I made the loader load from pastebin?

Sorry, not at all. If you wouldn't have that pastebin thing there, you wouldn't have been able to put a backdoor in, which would've saved you a lot of trouble, because I won't trust you anymore, we don't know if you really just put the backdoor in for debugging, you could also put it back in and I want my computer 100% Save, not having to trust ANYONE.

If you want to not trust me, go ahead and grab the code itself instead of the loader. It's not like I'm going to use it for evil anyway.

I'll never put in a backdoor if it means it will compromise my security system. I intended it as a joke, and not as a real way to abuse the system. I understand my mistake and I will never make it again.

Anavrins, on 14 December 2015 - 07:58 AM said:

-snip-
It's also much slower than sha256.

Slower is better, it will make brute-force harder.

LoganDark, on 14 January 2016 - 11:12 PM said:

It's not like I'm going to use it for evil anyway.

I do believe you won't, but the thing is, the way your lock is made do makes it possible, since you did exactly that, as a joke to a friend.
But as a security standpoint, that's unacceptable.

If you really want an update mechanism on your lock, it would be best to do it after authentication has been made, and that goes for most programs.

This thread hasn't been active for a while; anything anyone has to say? How do they use my system (if at all because my ex-friend virtually ruined my reputation by explaining what I did in the worst way possible)? Any issues?

Famous5000, on 14 January 2016 - 12:35 AM said:

Surprisingly enough, I happen to be in very close contact with him. I'll make sure he removes it, and it DOES get annoying because he managed to use it to hack into my computer about 100 times, EVEN when I told him not to. Naughty naughty…

EDIT: I realized that he removed the secret password that he told me, so there should be no reason to be able to hack into the computers I use.

BEFORE you use this comment against him, read the spoiler below:

Spoiler

You cannot use this as a thing against him, he was playing a practical joke, even after I asked him not to, and that's what friends do.

You're saying I won't remove it, and that I'm naughty, and that I broke into your computers with bad intentions. It was a joke. I wouldn't use it for evil. Not trying to be greedy here, but you pretty much completely ruined my reputation. If somebody reads your post, they probably will leave because of how bad of a job you did explaining how I used it. You assumed I was a bad, horrible, heartless person. I won't accept this.