C++ //Password protection on entry
Results 1 to 6 of 6

Thread: C++ //Password protection on entry

  1. #1
    The Prancing Pirate
    Join Date
    Jul 2004
    Posts
    548

    C++ //Password protection on entry

    Hi,

    I have only just started programming in C++, so please bare with me, but after reading quite a lot over the weekend, I managed to make a simple yet "imperfect" password protection on entry to a program, similar to a login. Here is my code:
    Code:
    #include <iostream>
    
    //An attempt at password protection
    //By J_K9   -- 10/07/2005
    
    int main()
    {
    	const int passwd = 13579;
    	int input_passwd;
    	std::cout << "Please enter your password: ";
    	std::cin >> input_passwd;
    	if (input_passwd == passwd)
    		std::cout << "\nEnter!\n";
    	else
    		std::cout << "\nSorry! Wrong password!\n";
    	return 0;
    }
    I have compiled this and I know it works. Then I decided that I wanted an alpha-numeric password, but I had an odd complaint from g++ when I tried replacing the "int" values with "char", and changing the passwd to "lycrolite" (including speech marks). My code can be found here. The error I received was:
    Code:
    jk9@ubuntu:~/CPP/000my_stuff/pass_prot2$ g++ passprot2.cpp
    passprot2.cpp: In function `int main()':
    passprot2.cpp:8: error: invalid conversion from `const char*' to `char'
    I didn't understand what the problem was, as I had checked and rechecked the code and it seemed flawless, but then I asked a member of another forum and he told me that I needed to use either string classes or character arrays, and he rewrote it as it should be (his code can be found here).

    I will read up on string classes and character arrays, but can I just quickly ask what that did, and why his works whereas mine doesn't? In the book I'm currently learning C++ from (SANS Teach Yourself C++ in 24 Hours, because "Accelerated C++" hasn't arrived yet in the post) it didn't mention the "string" value, which I actually used to use a lot with BASIC variables. I thought that from the information provided in the book, the only values allowed for strings were "char" and "float", but obviously "string" also exists....Yet, why do you need to "#include string"? Does this mean that "string" is not a variable type? Please teach me what's going on ! Thank you!

    J_K9

    P.S Is it possible to decompile an a.out file so that you can see the original source code? I don't think so but I just want to check, because if not that would really defeat the purpose of my code!
    TAZForum <---- click

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Just a hint pointers and pointers to char..

    Try using strncmp to compare two strings.. Don't use ==.
    Don't be tempted to use strcmp either..

    One other thing to note.. It will take a "cracker" about 5 seconds to learn your password..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    The Prancing Pirate
    Join Date
    Jul 2004
    Posts
    548
    One other thing to note.. It will take a "cracker" about 5 seconds to learn your password..
    Lol thought so...that's why I said I thought it might be imperfect(ly insecure)

    So....OK now I'm really confused...String classes (is "string" a variable type?)? Character arrays? Pointers? Strncmp/strcmp? lol. Which one should I use to do something like this, any why? Also, how would a cracker be able to crack it so quickly? (i.e Is it possible to decompile an a.out/.exe file?). Cheers,

    J_K9
    TAZForum <---- click

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Originally posted here by J_K9
    Also, how would a cracker be able to crack it so quickly? (i.e Is it possible to decompile an a.out/.exe file?)
    Yes, it's possible to decompile an executable.. But there's no need.. Your strings are easily readable in the executable.. A simple strings command (man strings) on your executable will reveal these..


    IIRC a "string" is nothing more then an array of characters..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    As so often, there are several ways to accomplish what you want.
    In pure c++, you often use the c++-stream I/O (iostream)-way[1]
    to read in a bunch of characters (call it "string") by
    Code:
    char buffer[1024];
    std::cin.getline(buffer,sizeof(buffer));
    or 
    cin &gt;&gt; setw(1024) &gt;&gt; buffer;
    A buffer is a small portion in the memory. By the above procedure,
    you read in a couple of chars, until you hit enter. Assume, you read
    in 4 chars "ABCD":
    Code:
    buffer[0]='A';
    buffer[1]='B';
    buffer[2]='C';
    buffer[3]='D';
    buffer[4]=0;
    The last entry, buffer[4]=0, is a "delimiter". If such a delimiter is set,
    the buffer can be interpreted as a "string". With this object, you then
    can make use of the string-functions, like strncpy, which are declared
    in &lt;string&gt; (there, also the new data type string of the standard
    template library is defined)[2].

    As per you p.s. Yes, it is possible to "decompile" your a.out file - actually,
    you disassemble it - see the crackit-challenge[3] by lepricaun. In case you
    succeed in implementing the string-version of your password program: It
    is even possible with an ordinary hex-editor (or even `cat`) to "crack"
    your password protection.


    Cheers.

    [1] http://tutorials.programmingsite.co.uk/cppgetline.php
    [2] http://www.bgsu.edu/departments/comp...cs/string.html
    [3] http://www.antionline.com/showthread...hreadid=262718
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  6. #6
    The Prancing Pirate
    Join Date
    Jul 2004
    Posts
    548
    Oh yes of course, just search it for strings....gosh can't believe I forgot that! So what about the other stuff SirDice? Like the string stuff (which I'm extremely confused about, because it was declared in "#include &lt;string&gt;", meaning it's not a variable type, yet it was still assigned to a variable as a type ), character arrays, pointers, strncmp/strcmp? You don't need to explain them all, I'll research the rest myself, but please could you say which one I would use if I were writing a professional program, and which one any random cracker could get without breaking a sweat? Thanks for everything so far!

    edit: Wow thanks sec_ware, sorry I didn't see your post as I was already replying to SirDice's! In your case (i.e the buffer case), I'm guessing that we would still have to declare the constant to which the variable is going to verify the password, so technically a cracker can crack the password fairly easily, no matter which method we use? Also, do you know of any Linux equivalents of hiew? Thanks,

    J_K9
    TAZForum <---- click

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides