|
Joined: Jun 2003
Posts: 10
Pikka bird
|
OP
Pikka bird
Joined: Jun 2003
Posts: 10 |
I would like to use the $encode function in some of my scripts (to be released publicly) to hide passwords, But I notice that sometimes the output contains characters that generate errors ( Example : ( ) and , ) so i cannot decode it.
Also I would like to make it a little more secure, so the person couldn't just type in $decode(Encoded Text String) and find out passwords. Is there any way to do this?
|
|
|
|
Joined: Dec 2002
Posts: 271
Fjord artisan
|
Fjord artisan
Joined: Dec 2002
Posts: 271 |
[color:blue]
//echo -a $encode(hello there peoples....how ya all doing today? lol)
[/color]
Returns:
[color:blue]
M:&5L;&\@=&AE<F4@<&5O<&QE<RXN+BYH;W<@>6$@86QL(&1O:6YG('1O9&%Y%/R!L;VP`
[/color]
[color:red]
//var %a = M:&5L;&\@=&AE<F4@<&5O<&QE<RXN+BYH;W<@>6$@86QL(&1O:6YG('1O9&%Y%/R!L;VP` | echo -a $decode(%a)
[/color]
Returns:
[color:red]
hello there peoples....how ya all doing today? lol
[/color]
thats to answer your first question, now as for your second comment, dunno if there ia any really secure way of doing something like that, only way i could think of that would work the best would be to make your own encode and decode aliases..... for example:
[color:green]
alias my.encode {
var %a = $1-, %b = 1, %final
while ($gettok(%a,%b,32)) {
var %c = $ifmatch, %d = 1, %match
while ($mid(%c,%d,1) != $null) {
%match = %match $+ $replace($ifmatch,$ifmatch,$chr($calc($asc($ifmatch) - 10)))
inc %d
}
%final = $+(%final,$chr(1),%match)
inc %b
}
return $right(%final,-1)
}
alias my.decode {
var %a = $1-, %b = 1, %final
while ($gettok(%a,%b,1)) {
var %c = $ifmatch, %d = 1, %match
while ($mid(%c,%d,1) != $null) {
%match = %match $+ $replace($ifmatch,$ifmatch,$chr($calc($asc($ifmatch) + 10)))
inc %d
}
%final = %final %match
inc %b
}
return %final
}
[/color]
something like that, now if i type //echo -a $my.encode(blah blah blah blah boo hoo does it work)i get an echo of: XbW^XbW^XbW^XbW^Xee^eeZe[i_jmeha
then if i type //var %a = XbW^XbW^XbW^XbW^Xee^eeZe[i_jmeha | echo -a $my.decode(%a)i get an echo of: blah blah blah blah boo hoo does it work
so you can see the posibilities.... hope that helps a little
|
|
|
|
Joined: Dec 2002
Posts: 2,809
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 2,809 |
$encode is NOT meant to hide passwords. So no, there is no way to make it more secure. What I would suggest you do is something like this:
set %password $md5(the_password_the_user_set)
Then when someone enters the password, like /msg nick login mypass
You do if (%password == $md5(what_the_user_just_entered)) { ; the correct password was entered }
MD5 is a one-way-hash meaning if you have the output of $md5, there is virtually NO way to get the original password.
|
|
|
|
Joined: Jan 2003
Posts: 3,012
Hoopy frood
|
Hoopy frood
Joined: Jan 2003
Posts: 3,012 |
i always wondered what md5 was.. now I know >:D Yea, *virtually* no way--heh unless you have lc4 >:D
-KingTomato
|
|
|
|
Joined: Dec 2002
Posts: 2,809
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 2,809 |
LC4 (nor any other publically known password retreiving software) can do nothing to crack an MD5 hash. There are attacks against MD5 that can make it take not too long (in crypto terms) to crack such as differential cryptanalysis (the T-attack), but no one has yet devised a feasible attack using this against MD5 (at least not to my knowledge). The "easiest" known method would be the birthday attack which can bring it down to roughly 500,000 years. There are probably other attacks that can bring it down further (plus the faster the machine the faster the cracking, i.e. an NSA cryptanalysis computer could do it much faster than the times I'm quoting). But in any case, unless your goal is to use MD5 to prevent anyone (general people, military and intelligence angencies, etc) from getting at your password MD5 is fine. Perhaps in the future mIRC could add support for SHA1 or RIPEMD160 which provides signifigantly stronger hashing abilities.
|
|
|
|
Joined: Jan 2003
Posts: 3,012
Hoopy frood
|
Hoopy frood
Joined: Jan 2003
Posts: 3,012 |
yes, but knowing the algorithm the program took to get there, would be half the battle. I mean, if mirc has it its either a library of windows, or a replicate or the function/class/program itself, correct?
-KingTomato
|
|
|
|
Joined: Dec 2002
Posts: 2,809
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 2,809 |
Well the thing is though, MD5 is one way it means
MD5(a) = b
But there is no function MD5-1 such that:
MD5-1(b) = a.
Meaning given the end result, there is no way to get the original input, at least not with the math that we currently have.
|
|
|
|
Joined: Jan 2003
Posts: 3,012
Hoopy frood
|
Hoopy frood
Joined: Jan 2003
Posts: 3,012 |
so even if you do the reverse to get where you got, ti still wouldn't come out right?
i.e.
alias enc { return $chr($calc(($asc($1) * 2) + 3)) } $enc(a) = Å alias dec { return $chr($calc(($asc($1) - 3) / 2)) } $dec(Å) = a
-KingTomato
|
|
|
|
Joined: Jan 2003
Posts: 3,012
Hoopy frood
|
Hoopy frood
Joined: Jan 2003
Posts: 3,012 |
In addition to that, what about a dictionary attack that takes a word, doe $md5() on it, and then a match--rather than to try to decrypt the hash?
-KingTomato
|
|
|
|
Joined: Dec 2002
Posts: 2,809
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 2,809 |
Well of course a dictionary attack "could" work, but you'd be assuming the password is in some dictionary, if the original plaintext was "42379fjsdrw3r47&$*@843" chances are, a dictionary attack is going to be useless.
|
|
|
|
Joined: Jan 2003
Posts: 3,012
Hoopy frood
|
Hoopy frood
Joined: Jan 2003
Posts: 3,012 |
Well i mean, the tradition methods are still kind of possible, just there is an added step--that being to hash the result.
-KingTomato
|
|
|
|
|