Programming Forums > Script Programming > Python

hydroxide · Jul 29th, 2005, 12:15 AM

1/ You should compare encrypted/hashed strings only
2/ You should use library encryption rather than hand rolling your own.
3/ You should use library functions for other things too.

Do the following in the Interactive Interpreter (etc)

(Toggle Plain Text)

import md5
print md5.md5("InsertYourPasswordHere").hexdigest()

copy the output (in this case 66e37426a7ff13e2957b2eed7c26039b, but obviously it'll be different for a different password)

Then in your user code use:

(Toggle Plain Text)

from getpass import getpass
from md5 import md5
MYPASSWORDHASH = "66e37426a7ff13e2957b2eed7c26039b" # or whatever
def get_password():
    for i in range(3):
        password = md5(getpass("Enter your password: "))
        if password.hexdigest() == MYPASSWORDHASH:
            return True
    return False

def main():
    if get_password():
        print "Success"
        # do something here
    else:
        print "Failure"
        # do something else here

if __name__ == "__main__":
    main()

--OH.
[Ok, md5 is theoretically breakable... =]

Sane · Jul 29th, 2005, 10:40 AM

Wow! That's a useful import! Thanks!

Eragon229 · Jul 30th, 2005, 7:41 PM

So, using that code, my program password won't be able to be taken from the source code?

Riddle · Jul 30th, 2005, 8:49 PM

Eragon229, that's right. You just have to remember the password, and compare the raw_input to the password hash generated by md5() and hexdigest().

Eragon229 · Jul 30th, 2005, 9:24 PM

Ok. Thanks. And one last small favor. The darn code:

str = input()
if foo == Radar:
print "Scanning"
sleep(10)
print "Area clear"
elif foo == Ignition:
print "Mixing fuels"
sleep(10)
print "Fuels mixed"

I got that far then whenever I type Radar or Ignition in the string input, it turns out undefined:mad:
Is this guy that wrote the tutorial. Is he getting something wrong? There was a code problem which I first mentioned that didn't give a complete code. All these guy's come fom the Python.org site.

Riddle · Jul 30th, 2005, 9:59 PM

I've seen some buggy code from people over at Python.org as well, I wonder why they get away with it.. :p But anyway, here's the edited code- it should work.

(Toggle Plain Text)

import time
#this is needed for the sleep() function.

#str = input()
#str is not the variable used-- and even if it was, input() is only for variables!
foo= raw_input()

#if foo == Radar:
#Radar is not a defined variable, and will therefore be undefined. Add quotes.
if foo= 'Radar':

print "Scanning"

#sleep(10)
#sleep is not a built-in function, but it is defined in time.py.
time.sleep(10)

print "Area clear"

#elif foo == Ignition:
#like radar, this is not a variable and will therefore have an error. Again, add quotes.
elif foo == 'Ignition':

print "Mixing fuels"

#sleep(10)
#I suspect you know what's wrong with this. :P
time.sleep(10)

print "Fuels mixed"

Hope I helped.

Eragon229 · Jul 31st, 2005, 10:08 AM

Thanks a lot. It Finally worked. There was a small typo.
if foo= 'Radar' was suppose to be if foo == 'Radar'
Probably got confused with foo= raw_input()
Thanks for the help everyone.

Cerulean · Jul 31st, 2005, 3:57 PM

Quote:

Originally Posted by Sane

Wow! That's a useful import! Thanks!

It's not the godsend you think it is Sane. Is no one else seeing the flaw with that? You've got a direct string comparison. Anyone with a decompiler can easily change that test (from == to !=) and there you have it - no need to enter the correct password. Much less effort than trying to brute force the password or whatever. There's just no real point in pursuing this further.

Eragon229 · Jul 31st, 2005, 4:14 PM

Isn't there something you can apply the pogram to? Just the program. Not with access to all the code.

hydroxide · Aug 2nd, 2005, 1:23 AM

Quote:

Originally Posted by Cerulean

It's not the godsend you think it is Sane. Is no one else seeing the flaw with that? You've got a direct string comparison. Anyone with a decompiler can easily change that test (from == to !=) and there you have it - no need to enter the correct password. Much less effort than trying to brute force the password or whatever. There's just no real point in pursuing this further.

If they have write access there is, of course, no security. I was thinking more from the standpoint of them potentially having read-access but not write access...)

--OH.

Jul 29th, 2005, 12:15 AM	#11
hydroxide Programmer Join Date: Apr 2005 Posts: 73 Rep Power: 4	1/ You should compare encrypted/hashed strings only 2/ You should use library encryption rather than hand rolling your own. 3/ You should use library functions for other things too. Do the following in the Interactive Interpreter (etc) (Toggle Plain Text) import md5 print md5.md5("InsertYourPasswordHere").hexdigest() import md5 print md5.md5("InsertYourPasswordHere").hexdigest() copy the output (in this case 66e37426a7ff13e2957b2eed7c26039b, but obviously it'll be different for a different password) Then in your user code use: (Toggle Plain Text) from getpass import getpass from md5 import md5 MYPASSWORDHASH = "66e37426a7ff13e2957b2eed7c26039b" # or whatever def get_password(): for i in range(3): password = md5(getpass("Enter your password: ")) if password.hexdigest() == MYPASSWORDHASH: return True return False def main(): if get_password(): print "Success" # do something here else: print "Failure" # do something else here if __name__ == "__main__": main() from getpass import getpass from md5 import md5 MYPASSWORDHASH = "66e37426a7ff13e2957b2eed7c26039b" # or whatever def get_password(): for i in range(3): password = md5(getpass("Enter your password: ")) if password.hexdigest() == MYPASSWORDHASH: return True return False def main(): if get_password(): print "Success" # do something here else: print "Failure" # do something else here if __name__ == "__main__": main() --OH. [Ok, md5 is theoretically breakable... =]

Jul 29th, 2005, 10:40 AM	#12
Sane Programming Guru Join Date: Apr 2005 Posts: 1,799 Rep Power: 5	Wow! That's a useful import! Thanks! __________________ Waterloo's Canadian Computing Competition (CCC) - Stage 2 Problems, Solutions, and Test Data

Jul 30th, 2005, 7:41 PM	#13
Eragon229 Newbie Join Date: Jul 2005 Posts: 14 Rep Power: 0	So, using that code, my program password won't be able to be taken from the source code? __________________ Scientists prove this. Scientists prove that. They discover this, discover that. Though it seems there will be nothing left the discover, wrongo. Look beyond. I see no boundaries. The only boundaries, are your determination, your imagination, your intuition, and your knowledge. But it all started with a dream.

Jul 30th, 2005, 9:24 PM	#15
Eragon229 Newbie Join Date: Jul 2005 Posts: 14 Rep Power: 0	Aaargh. Ok. Thanks. And one last small favor. The darn code: str = input() if foo == Radar: print "Scanning" sleep(10) print "Area clear" elif foo == Ignition: print "Mixing fuels" sleep(10) print "Fuels mixed" I got that far then whenever I type Radar or Ignition in the string input, it turns out undefined:mad: Is this guy that wrote the tutorial. Is he getting something wrong? There was a code problem which I first mentioned that didn't give a complete code. All these guy's come fom the Python.org site. __________________ Scientists prove this. Scientists prove that. They discover this, discover that. Though it seems there will be nothing left the discover, wrongo. Look beyond. I see no boundaries. The only boundaries, are your determination, your imagination, your intuition, and your knowledge. But it all started with a dream.

Jul 30th, 2005, 9:59 PM	#16
Riddle Programmer Join Date: May 2005 Location: Nar Shaddaa Posts: 42 Rep Power: 0	I've seen some buggy code from people over at Python.org as well, I wonder why they get away with it.. :p But anyway, here's the edited code- it should work. (Toggle Plain Text) import time #this is needed for the sleep() function. #str = input() #str is not the variable used-- and even if it was, input() is only for variables! foo= raw_input() #if foo == Radar: #Radar is not a defined variable, and will therefore be undefined. Add quotes. if foo= 'Radar': print "Scanning" #sleep(10) #sleep is not a built-in function, but it is defined in time.py. time.sleep(10) print "Area clear" #elif foo == Ignition: #like radar, this is not a variable and will therefore have an error. Again, add quotes. elif foo == 'Ignition': print "Mixing fuels" #sleep(10) #I suspect you know what's wrong with this. :P time.sleep(10) print "Fuels mixed" import time #this is needed for the sleep() function. #str = input() #str is not the variable used-- and even if it was, input() is only for variables! foo= raw_input() #if foo == Radar: #Radar is not a defined variable, and will therefore be undefined. Add quotes. if foo= 'Radar': print "Scanning" #sleep(10) #sleep is not a built-in function, but it is defined in time.py. time.sleep(10) print "Area clear" #elif foo == Ignition: #like radar, this is not a variable and will therefore have an error. Again, add quotes. elif foo == 'Ignition': print "Mixing fuels" #sleep(10) #I suspect you know what's wrong with this. :P time.sleep(10) print "Fuels mixed" Hope I helped.

Jul 30th, 2005, 8:49 PM	#14
Riddle Programmer Join Date: May 2005 Location: Nar Shaddaa Posts: 42 Rep Power: 0	Eragon229, that's right. You just have to remember the password, and compare the raw_input to the password hash generated by md5() and hexdigest().

Jul 31st, 2005, 10:08 AM	#17
Eragon229 Newbie Join Date: Jul 2005 Posts: 14 Rep Power: 0	Thanks a lot. It Finally worked. There was a small typo. if foo= 'Radar' was suppose to be if foo == 'Radar' Probably got confused with foo= raw_input() Thanks for the help everyone. __________________ Scientists prove this. Scientists prove that. They discover this, discover that. Though it seems there will be nothing left the discover, wrongo. Look beyond. I see no boundaries. The only boundaries, are your determination, your imagination, your intuition, and your knowledge. But it all started with a dream.

Jul 31st, 2005, 4:14 PM	#19
Eragon229 Newbie Join Date: Jul 2005 Posts: 14 Rep Power: 0	Isn't there something you can apply the pogram to? Just the program. Not with access to all the code. __________________ Scientists prove this. Scientists prove that. They discover this, discover that. Though it seems there will be nothing left the discover, wrongo. Look beyond. I see no boundaries. The only boundaries, are your determination, your imagination, your intuition, and your knowledge. But it all started with a dream.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Programming Forums > Script Programming > Python

Password Code Problem