C++

Forum

 
Convert stream to *

Aug 1, 2008 at 7:02am
hartmannr76 (37)
Ok, so what I am trying to do is allow the user to input their password to login, but I want the stream showing on the screen to show "*****" instead of their password. How would I go about this?
Aug 1, 2008 at 7:12am
exception (323)
To do it "fancy" (i.e., just create the effect of "oh look, one cannot see the character"), you have to control the terminal (in *nix, you would use ncurses).
To do it with a little bit of security in mind, you have to study the operating system calls for this purpose (you don't want to erase the character with ncurses, because ncurses and the terminal at this point already know about the character, so if they contain malicious code (or contain a bug and dump their memory or whatever), your password can be read. You want the character not to be read by anyone else (which is impossible: if you have a USB keyboard, the keyboard driver, the usb-hub-driver and the usb driver have to be trusted), or at least by as few components as possible. Most OS developers put a great effort in this sort of thing, so use it wisely.
Aug 1, 2008 at 4:41pm
Mitsakos (343)
Not so "fancy" as exception sayed but I did it with getch() function.
I used getch() to get the character the user entered and then I printed a "*" on the screen.
Here is how I did it:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
 
#include <iostream>
#include <string>
#include <conio.h>
using namespace std;
int main(){
   string pass ="";
   char ch;
   cout << "Enter pass\n";
   ch = _getch();
   while(ch != 13){//character 13 is enter
      pass.push_back(ch);
      cout << '*';
      ch = _getch();
   }
   if(pass == "Mitsakos"){
      cout << "\nAccess granted :P\n";
   }else{
      cout << "\nAccess aborted...\n";
   }
}
Edit & run on cpp.sh


(If _getch() doesn't work remove the "_")

Hope that Helps
Last edited on Aug 1, 2008 at 4:44pm
Sep 18, 2008 at 6:27pm
aeronet (80)
yeah, I did the same thing as Mitsakos. I ran into a problem though. If the user hits an arrow key or any of the f keys(f1-f12) or any other special character...it gets added to the password as well. I'm not sure how to get around that little problem.
Sep 18, 2008 at 7:25pm
Duthomhas (13277)
You all ought to go tell your professor that a homework to get passwords from the console is not a good idea for beginning students. To do it right takes a lot more than knowing something about <conio.h>.

Beyond which, if he wants you all to be using <conio.h>, he ought to provide you with decent documentation:

The WinBGI has getch()
http://www.cs.colorado.edu/~main/cs1300/doc/bgi/getch.html

Here is a prof who has good sense:
http://www.uwplatt.edu/csse/Courses/prev/f99/cs143/conio.html

And straight from the horse's mouth:
http://msdn.microsoft.com/en-us/library/078sfkak(VS.71).aspx
(Yes, Microsoft invented conio.h, not Borland.)

Hope this helps.
Sep 19, 2008 at 9:06pm
aeronet (80)
I figured out how to catch an occurence of those special characters. You have to check for case 0xE0 as well as case 0:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
 
do   //Loop until 'Enter' is pressed
         {
         c = getch();
         switch(c)
            {
            case 0xE0:        //Catches arrow keys, end, home, page up/down, etc.
               {
               getch();
               break;
               }
            case 0:           //Catches f1-f12
               {
               getch();
               break;
               }
            case '\b':
               {
               if(password.size() != 0)  //If the password string contains data, erase last character
                  {
                  cout << "\b \b";
                  password.erase(password.size() - 1, 1);
                  }
               break;       
               }   
            default:
               {
               if(isalnum(c) || ispunct(c))
                  {
                  password += c;
                  cout << "*";           
                  }
               break;     
               }      
            };
         }
      while(c != '\r');
Sep 19, 2008 at 9:26pm
helios (17607)
What anybody has yet to say is that masking the password characters to anything but "" is outright retarded.
The mask stays on the screen until it's scrolled up, which means anyone passing by during that period could count the characters and the security of the password would be weakened.
Sep 20, 2008 at 2:40am
Duthomhas (13277)
Funny how common that is...

All my important passwords are (much) more than ten characters long anyway... so I never worry too much about it.

The sad thing is, though, that a lot of times people actually want the stars/dots/whatever...

One of my professors is working on a superior method that even people who like to count off the number of 'q's in their passwords (like "qqqqqqq") can use with the full benefits of security. More intuitive, no more keyboard: Graphical passwords. The user can even choose his own password image, with negligible effects on password security. :-)
http://portal.acm.org/author_page.cfm?id=81100322906&coll=GUIDE&dl=GUIDE&trk=0
Last edited on Sep 20, 2008 at 2:41am
Sep 20, 2008 at 2:52am
aeronet (80)
Yeah i know that having the "*" visible reduces the security by a little. But if you have a 6 character password there are tons and tons and tons of possible passwords. Just cause you know there are six characters doesn't help you that much. It is true though that more people prefer to have some sort of visual when typing in their password
Sep 20, 2008 at 3:45am
Duthomhas (13277)
If you are looking to crack someone's password, it actually helps a significant amount to know how many characters there are in it. It carves a couple millennia off for just a brute-force method.

[edit]
For nothing more than feedback, you could just alternate through two or three random characters each time a key is pressed. For example

x (user types first char)
% (user types second char)
x (user types third char)
% (user types fourth char)
x (user types fifth char)
...

or something like that...
Last edited on Sep 20, 2008 at 3:48am
Topic archived. No new replies allowed.