Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Encrypted passwords from Dialog
#1
Hi,
I couldn't find the answer on my own in Help/Forums/Web so here goes:

I am setting up a username and password entry dialog to automate logon for a few commonly used apps and web services at my institution. Each user will enter their data in a dialog, like the sample below....
Obviously encryption is the key issue here:

The password entry field has the style for "*******" but I know that won't truly encrypt it. I geuss I will take the string for that field and encrypt it to the registry in the following way (from the help file):

Quote:str App1Pass
App1Pass.encrypt(10)
rset App1Pass "EncryptedApp1Pass" "\Test"

My question lies in how to organize the data from multiple users using this dialog (i.e. when each person who uses the dialog they should create their own encrypted set of entries. Thus later when they are trying to login to a site, the encrypted information will be called from the appropriate location (encrypted function or from registry???) and then entered into the user/password field of a specific app/webpage entry form (presumably using AutoPassword function)

I had trouble using decrypt - I think because MD5 encryption.

Finally, once each user has created their encrypted password files, how will I export this to each of the multple stations running the shared .qml file from the network drive. I know it probably has something to do with qmreg5.reg but not exactly sure.

I hope that wasn't too poor of an explanation.

Thanks for any help in architecture or syntax!!!
(see form below)

Stuart

Code:
Copy      Help
\Dialog_Editor
function# hDlg message wParam lParam
if(hDlg) goto messages

str user computer
GetUserComputer user computer
;out "%s\%s" computer user

str controls = "100 101 105"
str rea100 rea101 st105st

st105st.format("User ID: %s" user)

if(!ShowDialog("Login_Password_Dlg" &Login_Password_Dlg &controls)) ret

;BEGIN DIALOG
;0 "" 0x90C80A44 0x100 0 0 221 279 "AutoLogin"
;1 Button 0x54030001 0x4 64 232 38 14 "OK"
;2 Button 0x54030000 0x4 104 232 46 14 "Cancel"
;100 RichEdit20A 0x54231000 0x200 108 108 50 13 ""
;101 RichEdit20A 0x54230020 0x200 108 126 50 12 "*"
;102 Static 0x54000000 0x0 22 102 186 46 "[]1. User ID:[][]2. Password (encrypted) "
;105 Static 0x54000000 0x0 22 20 48 13 "UserID"
;3 Static 0x54000000 0x0 22 38 188 42 "Please confirm this is your correct User ID before proceeding.[][]If not, logoff (Ctrl-Alt-Del) and login again under your own User ID"
;4 Static 0x54000000 0x0 52 4 118 10 "Username and Password Enrollment"
;103 Button 0x54032007 0x0 16 86 198 72 "App1"
;END DIALOG
;DIALOG EDITOR: "" 0x2020105 "" "" ""


ret
;messages
sel message
,case WM_INITDIALOG
,DT_Init(hDlg lParam)
,,
,ret 1
,case WM_DESTROY
,DT_DeleteData(hDlg)  
,case WM_COMMAND goto messages2
ret
;messages2
sel wParam
,case IDOK DT_Ok hDlg
,case IDCANCEL DT_Cancel hDlg
,
#2
Quote:how to organize the data from multiple users

If you use registry, and each user has its own user account, Windows does it for you. Each user account has its own part of registry. Each user's data is stored separately. Similarly you can store the data in a file in a user-specific folder for example $personal$ (My Documents).

Quote:I had trouble using decrypt

MD5 encryption is used when you don't need to decrypt. If need to decrypt, use Blowfish.
Macro
Code:
Copy      Help
str s="pass"
out s.encrypt(9 s "a secret encryption key")
out s.decrypt(9 s "a secret encryption key")

Quote:once each user has created their encrypted password files, how will I export this to each

What THIS?
#3
Hi Gintaras,
Thank you for your reply.
Each of ~20 uers may work at any of ~14 workstations depending on the given day. They all have separate windows accounts (off of a domain) on each computer. No matter which computer or which user account, they all run the same .qml file because the qmreg5.reg file settings exported to all users has that .qml file on it as "always add these shared files".
The shared file is on a network drive available to all the workstations.

Anyway, I thought it might be nice if the user only had to "enroll" once with their password assignments and then this enrollment information could be shared in a safe secure encryped manner among all the workstations as part of a shared .qml file or some other shared file. But if it is more secure to have each user enroll their passwords individually at each station they work at, that will be OK too! (only three in total in main use - just unfortunately over and over several times a day.)

Thanks for your comments and any additional thoughts.

Stuart
#4
Use shared ini, xml or text file.

Code:
Copy      Help
str user password
GetUserComputer user
;...
ShowDialog that gets password
password.encrypt(9 ...
rset password user "users" "\\...\....ini"

Code:
Copy      Help
rget password user "users" "\\...\....ini"
AutoPassword user password
#5
Thanks!!!!!!
#6
forgot to insert password.decrypt(9 ... before AutoPassword
#7
If the password will be used with AutoPassword or other function that supports encrypted passwords, you can encrypt it with 16 instead of 9. It is more secure. Then you don't need to decrypt before passing to AutoPassword. And you don't need to encrypt your dialog because an encryption key is not used in it.

Code:
Copy      Help
str user("user") password("password")
password.encrypt(16 password "AutoPassword")

EDIT: This is not secure. Use encrypt(9 ...) too. And encrypt the macros.
#8
Hi Gintaras,
Just wanted to let you know that I did it just as you suggested and it is working incredibly well. I set it up so that each user name and password has its own .ini file.

I was just wondering is that necessary? Can they all go in the same .ini file. I don't really know the structure.

Second, what happens when two separate users are "rset"-ing to the shared network .ini file simultaneously.
I saw something about "lock"
Do I need this?

Thanks!!!
Stuart
#9
Quote:what happens when two separate users are "rset"-ing to the shared network .ini file simultaneously

Don't know. Maybe Windows API functions used by rset manage it, maybe not.

lock cannot be used because it works only on single computer.

If we don't know that, safer is to use multiple files. Otherwise you could use single file.

Ini file format is

[section]
user1=[*ENCRYPTEDPASSWORD1*]
user2=[*ENCRYPTEDPASSWORD2*]
...
#10
Thanks!
Stuart
#11
Thanks again for all your help on this Gintaras.
A couple more questions:

In the .ini file, I see all the encrypted passwords. How secure are these i.e.
Without using the AutoPassword function, could someone easily decrypt them if they knew the key I used to make the macro? (i.e. the encryption mode).
Could someone accuse me of decrypting their passwords from the ini file.
Is there a way to lock and encrypt the ini file so no one can even attempt to do this (I would still need to know the way to unlock it of course, but at least there would be one more layer of security...)

Thanks,
Stuart
#12
I want to be able to assure the users that they can put their password info and that it is secure i.e. hidden from anyone including myself.

Would it be more secure (trustworthy) if instead of rset/rget comomands from a network .ini file (which can be opened), I instead just wrote directly to the registry of the user (windows logon user). That way, there would be no file with any passwords - i.e. it would be invisible even to myself?

Does this make sense?

Thanks so much,
Stuart
#13
Registry also can be opened.

encrypt(16 ...) was not a good idea in this case.

If a hacker gets a password that is encrypted for AutoPassword, and he knows that, he can use the password with AutoPassword.

Better encrypt the password using your own secret key (encrypt(9 ...)). And encrypt all your macros that use it.

Even then, a hacker can reveal the password if he can run the macro. To prevent it, the macro itself must ask for a password to run it. For example use inpp.

Encrypted passwords can be stored anywhere. In ini on a network, or in user's registry. Because nobody knows your secret key and therefore cannot decrypt.

Most secure will be to double encrypt passwords.

encrypt(16 ...)
encrypt(9 ...)
...
decrypt(9 ...)
AutoPassword
#14
Hi Gintaras,
Thanks for the explanations and advice.

The trigger for the various automated-logins is a fingerprint-reader device. It comes with software that allows you to enter username/passwords for various websites. Unfortunately, that software caused our main work application to freeze up. That's is why I am writing my own in QM.

Do the commercial "password manager" software use any special security trick or just write to their own .ini files/registry with their own corporate encryption key. In other words, are they any more secure?

Stuart
#15
Don't ask me. Never used it.
#16
Hi Gintaras,
Thanks for all the rest of the info you supplied above.
Stuart
#17
roboform is writing own files.
pi
#18
Hi Gintaras,
I am getting some help on my password management issues - which leads to this question:
Does QM work well with web service calls
Thanks so much,
Stuart
#19
webservice example ? (translate text)
#20
Hi Gintaras,
Now with understanding webservices as my new task I feel like I am graduating up to a whole new level through QM! Thanks for making the journey possible!

Stuart

ps. also thanks to the QM experts _pi, ken gray, John, QM Assistant, QM_Expert, its just Matt and others who I have learned so much from...either through direct exchange or from reading your exchanges with Gintaras on your own projects.
#21

Well, I personally will be the first to admit, i'm by far no QM Expert, and i'm glad I could assist you however I did. But I can tell you're getting much better and more familiar with this great program each and everyday. Keep it up Stuart.
Taking on Quick Macros one day at a time
#22

Yes we all learn from one another like it should be 8) I'm always glad to help in anyway I can I'm sure I've gotten more help than I have giving thats for sure Smile.


Forum Jump:


Users browsing this thread: 1 Guest(s)