Hey guys!

I'm working on a project which currently stored a user's credentials (username and password) on a file.

For security reasons I'd like to hash the password and stored that on the file instead of the actual password.

I've never done hashing before, so I would like to know how you would come about doing that?

Would you simply use a function which takes as an argument a string and perform some sort of mathematical operations with that string in order to end up either with a series of seemingly random numbers or chars?

Thanks for your suggestion and advice,

Regards,

Hugo.

For this kind of application, don't design your own hash function. Just use a cryptographic hash function like SHA-256. Don't use broken or weak functions like MD5 or SHA-1.

Personally, for most uses, I like the implementations here because they're easy to use:
https://github.com/B-Con/crypto-algorithms
They're single-file and have a simple interface.
If you need speed, you can use the ones from Crypto++:
https://www.cryptopp.com/
But Crypto++ is a relatively large library and the interface isn't quite as intuitive (at least, not to me). It may not be a perfect fit for your project if all you need is a hash function.

From my understanding, while using a simple SHA-256 (w/ salt) or other secure hash function may be acceptable for simple security, implementations for passwords should rather be using something with an adjustable amount of hashing iterations to further mitigate rainbow attacks or other brute-force attacks.

For example,
https://en.wikipedia.org/wiki/PBKDF2
https://en.wikipedia.org/wiki/Scrypt

Some quotes:

RFC 8018, published in 2017, recommends PBKDF2 for password hashing

PBKDF2 applies a pseudorandom function, such as hash-based message authentication code (HMAC), to the input password or passphrase along with a salt value and repeats the process many times to produce a derived key, which can then be used as a cryptographic key in subsequent operations. The added computational work makes password cracking much more difficult, and is known as key stretching. When the standard was written in the year 2000 the recommended minimum number of iterations was 1000, but the parameter is intended to be increased over time as CPU speeds increase. As of 2005 a Kerberos standard recommended 4096 iterations, Apple iOS 3 used 2000, iOS 4 used 10000, while in 2011 LastPass used 5000 iterations for JavaScript clients and 100000 iterations for server-side hashing.

One weakness of PBKDF2 is that while its number of iterations can be adjusted to make it take an arbitrarily large amount of computing time, it can be implemented with a small circuit and very little RAM, which makes brute-force attacks using application-specific integrated circuits or graphics processing units relatively cheap. The bcrypt password hashing function requires a larger amount of RAM (but still not tunable separately, i. e. fixed for a given amount of CPU time) and is slightly stronger against such attacks, while the more modern scrypt key derivation function can use arbitrarily large amounts of memory and is therefore more resistant to ASIC and GPU attacks.

Those are great resources. But hoogo isn't making some commercial software, he's trying to add stuff to his personal little helper thingamajigie application. He's not distributing it so there's no need to "actually" be so secure.
(with reference to hoogo' post about his app) 'And I only assume this. Who knows maybe hoogo was secretly developing a new search engine or something.

So hoogo in my opinion you should search up different algorithms for encryption and try them out. I can't be more specific because I have no knowledge in this yet myself. ;p

And hey maybe if one day you wanted to distribute your application and not want other people to know its source then now you know!

if this is for a simple little home program, xor is just fine.

cin integer password.
seed random generator to that integer.
for all the letters you want to encrypt, just xor them with the next random value.
write that to the file. it will be binary, not text, be careful of this.
the exact same code decrypts it.

this is actually moderately annoying to hack. Its not foolproof by any stretch, but for a 5 line solution, its pretty good discouragement from the casual snooper.

And hey maybe if one day you wanted to distribute your application and not want other people to know its source then now you know

Not sure what you mean by this, sounds like a different topic than password hashing.

jonnin,
Yep, agreed, that's fine and can be fun for personal projects. (I just think it's obligatory to let anyone know that for any serious project, rolling your own is unwise and error-prone.)

Wow thank you guys for all the really interesting ressource and answers. As Grime was right to point out, I was asking merely for a simple fun project I'm developing for my personal enjoyment and because how else than by coding can can you learn coding better?

For those who are interested in knowing the whats and whys for my question, here is my previous post : http://www.cplusplus.com/forum/general/248842/

That being said, even though I wasn't looking to get into proper security and hashing I think all of the answers above are piquing my curiosity and interest.

@helios

Personally, for most uses, I like the implementations here because they're easy to use: https://github.com/B-Con/crypto-algorithms

Thanks, this one seems really interesting, I'll look into it!


@Ganado
Thanks for bringing to my attention all those methods of hashing/encrypting, I tried to do some research but I was overwhelmed by the number of mishmash of libraries and databases and whatnot I found on the subject, and really didn't know where to look / start.


@Grime

Who knows maybe hoogo was secretly developing a new search engine or something.

Hmmmm who knows, one may have many secrets hidden in dark places... :D Naah actually you're right, it's for my app I mentioned in an older post. Indeed I'm not trying to prevent any *hacking* per se, since the app isn't online. I'm in fact just trying to avoid anyone opening a .data file with a text editor like notePad++ or even notePad and finding my user credentials written in binary, which is still visible since it's one char array for the username and one for the password (currently).


@jonnin

cin integer password. seed random generator to that integer. for all the letters you want to encrypt, just xor them with the next random value. write that to the file. it will be binary, not text, be careful of this. the exact same code decrypts it.

That sounds more like encrypting than hashing (correct me if I'm wrong). I don't want to have to use a key to decrypt an encrypted password. My logic would be the following:
-> User creates username and password
-> Username is stored on X.data file
-> Password is hashed by a function and then stored on X.data file
_when user goes to log in_
-> User enters username, username is read from X.data file, usernames are compared
-> User enters password, password is hashed, hashed password is read from X.data file, hashed passwords are compared
-> If both usernames and hashed password are identical, user is logged in
What matters to me: the password is 'physically' written nowhere.


@Ganado

Yep, agreed, that's fine and can be fun for personal projects. (I just think it's obligatory to let anyone know that for any serious project, rolling your own is unwise and error-prone.)

Right on yes, for now it's for a fun personal project but I might need that info and knowledge later, so cheers!

for now it's for a fun personal project

std::hash might be worth a look then.

https://en.cppreference.com/w/cpp/utility/hash

@FurryGuy

std::hash might be worth a look then.

Thanks! It's pretty much what I was looking for! :)

I didn't know you could change your name!

It might be a new feature, i just figured this out, if you go in your account settings. Can only change it every 90 days though. :)

yes, what I gave you was encryption. You can use a portion of it to make a hash, of course, but you have all you need in the built in tool.