[Tutor] Password Program

Kirk Bailey idiot1@netzero.net
Fri Jul 25 20:00:14 2003 

R. Alan Monroe wrote:

>>I was wondering if it was possible to have a program in Python ask someone for
>>a user name/password and then encrypt the password, save it to the harddrive, 
>>and later, when asked, decrypt the password and tell u what the un/pw is.
> 
> 
> I had never looked into this until recently, and I felt really stupid
> for it not having occurred to me. Most sytems enrypt the password in a
> way to where you purposely CAN'T decrypt it. Later, when the user logs
> in, they encrypt whatever the user typed for the password, and compare
> that to the stored encrypted password.
> 
> I don't know if there's anything in the stock library that will do
> reversible encryption. Anyone know?
> 
> Alan
Not a clue, but a brute force attack with a good guesser program will soon crack that, 
unless you do soething to hamper guessing. I used the time module in a password 
protected function of some importance to introduce a several second delay to purposely 
inconvience password guessing. Just thought I would toss in this idea as a small tool to 
hamper cracking passwords with guessing attacks.

Also, many people generally use a word with a single number at the end. a simple way to 
make this much harder to crack means to slap another number on the other end, and not 
the same number, or even one in the middle as well.  This will let you create a password 
that is easy to remember, but hard to guess.

Also, I seem to recall that better logon routines limit the number of trys before the 
program aborts. Then you have to start the login procedure all over again, andother 
inconviencing of the guesser routine.

Limiting connections does limit the number of guesser program connections that can 
simultaniously attack the server, but this also create a vulnerability to DOS attacks- 
if it only allows 5 connections, and mr cracker has 5 bots guessing passwords, you can't 
get into your own server, except from the console, a distressing situation.

Hope some of the ruminations prove to be of some value.
> 
> 
> _______________________________________________
> Tutor maillist  -  Tutor@python.org
> http://mail.python.org/mailman/listinfo/tutor
> 
> 

-- 

-- 

end

Cheers!
         Kirk D Bailey

  +                              think                                +
   http://www.howlermonkey.net  +-----+        http://www.tinylist.org
   http://www.listville.net     | BOX |  http://www.sacredelectron.org
   Thou art free"-ERIS          +-----+     'Got a light?'-Promethieus
  +                              think                                +

Fnord.