Forums Scripts & Popups $encode problems

I would like to use the $encode function in some of my scripts (to be released publicly) to hide passwords, But I notice that sometimes the output contains characters that generate errors ( Example : ( ) and , ) so i cannot decode it.

Also I would like to make it a little more secure, so the person couldn't just type in $decode(Encoded Text String) and find out passwords. Is there any way to do this?

thats to answer your first question, now as for your second comment, dunno if there ia any really secure way of doing something like that, only way i could think of that would work the best would be to make your own encode and decode aliases..... for example:

Code:

[color:green]
alias my.encode {
  var %a = $1-, %b = 1, %final
  while ($gettok(%a,%b,32)) {
    var %c = $ifmatch, %d = 1, %match
    while ($mid(%c,%d,1) != $null) {
      %match = %match $+ $replace($ifmatch,$ifmatch,$chr($calc($asc($ifmatch) - 10)))
      inc %d
    }
    %final = $+(%final,$chr(1),%match)
    inc %b
  }
  return $right(%final,-1)
}
alias my.decode {
  var %a = $1-, %b = 1, %final
  while ($gettok(%a,%b,1)) {
    var %c = $ifmatch, %d = 1, %match
    while ($mid(%c,%d,1) != $null) {
      %match = %match $+ $replace($ifmatch,$ifmatch,$chr($calc($asc($ifmatch) + 10)))
      inc %d
    }
    %final = %final %match
    inc %b
  }
  return %final
}
[/color]

something like that, now if i type //echo -a $my.encode(blah blah blah blah boo hoo does it work)

i get an echo of:

XbW^
XbW^
XbW^
XbW^
Xee
^ee
Ze[i
_j
meha

then if i type //var %a = XbW^
XbW^
XbW^
XbW^
Xee
^ee
Ze[i
_j
meha | echo -a $my.decode(%a)

i get an echo of:

blah blah blah blah boo hoo does it work


so you can see the posibilities....

hope that helps a little

$encode is NOT meant to hide passwords. So no, there is no way to make it more secure. What I would suggest you do is something like this:

set %password $md5(the_password_the_user_set)

Then when someone enters the password, like /msg nick login mypass

You do if (%password == $md5(what_the_user_just_entered)) {
; the correct password was entered
}

MD5 is a one-way-hash meaning if you have the output of $md5, there is virtually NO way to get the original password.

i always wondered what md5 was.. now I know >:D Yea, *virtually* no way--heh unless you have lc4 >:D

LC4 (nor any other publically known password retreiving software) can do nothing to crack an MD5 hash. There are attacks against MD5 that can make it take not too long (in crypto terms) to crack such as differential cryptanalysis (the T-attack), but no one has yet devised a feasible attack using this against MD5 (at least not to my knowledge). The "easiest" known method would be the birthday attack which can bring it down to roughly 500,000 years. There are probably other attacks that can bring it down further (plus the faster the machine the faster the cracking, i.e. an NSA cryptanalysis computer could do it much faster than the times I'm quoting). But in any case, unless your goal is to use MD5 to prevent anyone (general people, military and intelligence angencies, etc) from getting at your password MD5 is fine. Perhaps in the future mIRC could add support for SHA1 or RIPEMD160 which provides signifigantly stronger hashing abilities.

yes, but knowing the algorithm the program took to get there, would be half the battle. I mean, if mirc has it its either a library of windows, or a replicate or the function/class/program itself, correct?

Well the thing is though, MD5 is one way
it means

MD5(a) = b

But there is no function MD5-1 such that:

MD5-1(b) = a.

Meaning given the end result, there is no way to get the original input, at least not with the math that we currently have.

so even if you do the reverse to get where you got, ti still wouldn't come out right?

i.e.

alias enc { return $chr($calc(($asc($1) * 2) + 3)) }
$enc(a) = Å
alias dec { return $chr($calc(($asc($1) - 3) / 2)) }
$dec(Å) = a

In addition to that, what about a dictionary attack that takes a word, doe $md5() on it, and then a match--rather than to try to decrypt the hash?

Well of course a dictionary attack "could" work, but you'd be assuming the password is in some dictionary, if the original plaintext was "42379fjsdrw3r47&$*@843" chances are, a dictionary attack is going to be useless.

Well i mean, the tradition methods are still kind of possible, just there is an added step--that being to hash the result.