[windev] Passwords in MFC executables

David Little dlittle at coade.com
Tue Mar 17 14:33:01 GMT 2009 

Go to www.md5hashing.com and grap md5.cpp/.h and md5wrapper.cpp/.h.  on
a 1-10 scale with 1 being no security and 10 being bullet-proof, this
will get you about a 4.  Encode the password in your killfocus handler
and compare that with the encoded password you've stored (or store the
hash if that's what you're doing).  It's a single-byte encoding, so if
you're using Unicode, do a hex conversion first --- 

	inline wchar_t* StringToHex(const wchar_t* data)
	{
		wchar_t temporary[5];
		wchar_t* hex = (wchar_t*) new wchar_t[wcslen(data) * 8 +
2]; // allow for four numbers per character
		hex[0] = L'';
		for (unsigned x = 0; x < wcslen(data); x++)
		{     
			int value = (int)(data[x]);      
			swprintf(temporary, L"%04X",value);
			wcscat (hex, temporary);
		}
		wchar_t* ret = _wcsdup (hex);
		delete [] hex;
		hex=0x00;
		return ret;
	}

Oh, be sure and delete[] the pointer returned from here, else you'll get
some giant memory leaks.

There's probably a way to reverse the hash, but I haven't tried, and in
my case it doesn't matter.  forgotten password=lost data.

- David

-----Original Message-----
From: windev-bounces at windev.org [mailto:windev-bounces at windev.org] On
Behalf Of Tim Lesher
Sent: Tuesday, March 17, 2009 7:54 AM
To: truckleaj-windev at yahoo.co.uk
Cc: windev at windev.org
Subject: Re: [windev] Passwords in MFC executables

On Tue, Mar 17, 2009 at 08:46,  <truckleaj-windev at yahoo.co.uk> wrote:
> Hello
>
> Can someone please clarify for me:
>
> I have a CEdit control with the ES_PASSWORD property set.
>
> In EN_CHANGE handler I do:
>
> UpdateData(TRUE)
> m_btnOK.EnableWindow(m_strPassword==_T("SomeValue");
>
> This appears to work fine. But how "secure" is that?
>
> Can someone easily examine my EXE file to locate "SoomeValue"?

Yes, very easily.  One step better would be not to encode the value in
plain text, but to use a one-way hash, and store the binary value.
Then hash the password the user enters, and compare the hashes.

That's still light duty for someone with a debugger and rudimentary
reverse engineering skills, but it's an easy step to take that raises
the bar a little.
-- 
Tim Lesher <tlesher at gmail.com>
-- 
Windev mailing list at Windev at windev.org

Lost your password?  Need to unsubscribe or change your delivery
options?  
Go to http://lists.windev.org/mailman/listinfo/windev
--
Search the Windev Archives - www.windev.org

More information about the Windev mailing list