It looks like passwords are stored in plain text form in the pswd.txt file. Never ever store passwords in plain text form. Store passwords salted and cryptographically hashed. That way, if an attacker gains access to the file, he still has to crack the password, which can be extremely difficult if the password is strong enough.
To verify a password, apply the same algorithm to the user input as used when creating the salted and cryptographically hashed version. The result will only match the stored password if the user entered the correct password.
@Boris @Boris left a great comment, quoting it verbatim:
Encrypted passwords are a bad idea as the encryption key needs to be stored in the code, then then it's just a question of looking at the code to gain the key. Hashing is irreversible and using a good, random, unique, salt per password and a purpose built cryptographic hashing algorithm is the only acceptable way of storing passwords - the best idea is to use something like
bcryptwhich is industry standard and rolls all this together.
It looks like passwords are stored in plain text form in the pswd.txt file. Never ever store passwords in plain text form. Store passwords salted and cryptographically hashed. That way, if an attacker gains access to the file, he still has to crack the password, which can be extremely difficult if the password is strong enough.
To verify a password, apply the same algorithm to the user input as used when creating the salted and cryptographically hashed version. The result will only match the stored password if the user entered the correct password.
@Boris left a great comment, quoting it verbatim:
Encrypted passwords are a bad idea as the encryption key needs to be stored in the code, then then it's just a question of looking at the code to gain the key. Hashing is irreversible and using a good, random, unique, salt per password and a purpose built cryptographic hashing algorithm is the only acceptable way of storing passwords - the best idea is to use something like
bcryptwhich is industry standard and rolls all this together.
It looks like passwords are stored in plain text form in the pswd.txt file. Never ever store passwords in plain text form. Store passwords salted and cryptographically hashed. That way, if an attacker gains access to the file, he still has to crack the password, which can be extremely difficult if the password is strong enough.
To verify a password, apply the same algorithm to the user input as used when creating the salted and cryptographically hashed version. The result will only match the stored password if the user entered the correct password.
@Boris left a great comment, quoting it verbatim:
Encrypted passwords are a bad idea as the encryption key needs to be stored in the code, then then it's just a question of looking at the code to gain the key. Hashing is irreversible and using a good, random, unique, salt per password and a purpose built cryptographic hashing algorithm is the only acceptable way of storing passwords - the best idea is to use something like
bcryptwhich is industry standard and rolls all this together.
It looks like passwords are stored in plain text form in the pswd.txt file. Never ever store passwords in plain text form. Store only encrypted passwords salted and cryptographically hashed. That way, if an attacker gains access to the file, he still has to decrypt itcrack the password, which can be extremely difficult if the password is strong enough. If the password is not encrypted, it's game over.
To verify a password, encrypt the user input usingapply the same algorithm that was used to store the original,user input as used when creating the salted and compare encrypted version against encryptedcryptographically hashed version. The result will only match the stored password if the user entered the correct password.
@Boris left a great comment, quoting it verbatim:
Encrypted passwords are a bad idea as the encryption key needs to be stored in the code, then then it's just a question of looking at the code to gain the key. Hashing is irreversible and using a good, random, unique, salt per password and a purpose built cryptographic hashing algorithm is the only acceptable way of storing passwords - the best idea is to use something like
bcryptwhich is industry standard and rolls all this together.
It looks like passwords are stored in plain text form in the pswd.txt file. Never ever store passwords in plain text form. Store only encrypted passwords. That way, if an attacker gains access to the file, he still has to decrypt it, which can be extremely difficult if the password is strong enough. If the password is not encrypted, it's game over.
To verify a password, encrypt the user input using the same algorithm that was used to store the original, and compare encrypted version against encrypted version.
It looks like passwords are stored in plain text form in the pswd.txt file. Never ever store passwords in plain text form. Store passwords salted and cryptographically hashed. That way, if an attacker gains access to the file, he still has to crack the password, which can be extremely difficult if the password is strong enough.
To verify a password, apply the same algorithm to the user input as used when creating the salted and cryptographically hashed version. The result will only match the stored password if the user entered the correct password.
@Boris left a great comment, quoting it verbatim:
Encrypted passwords are a bad idea as the encryption key needs to be stored in the code, then then it's just a question of looking at the code to gain the key. Hashing is irreversible and using a good, random, unique, salt per password and a purpose built cryptographic hashing algorithm is the only acceptable way of storing passwords - the best idea is to use something like
bcryptwhich is industry standard and rolls all this together.
It looks like passwords are stored in plain text form in the pswd.txt file. Never ever store passwords in plain text form. Store only encrypted passwords. That way, if an attacker gains access to the file, he still has to decrypt it, which can be extremely difficult if the password is strong enough. If the password is not encrypted, it's game over.
To verify a password, encrypt the user input using the same algorithm that was used to store the original, and compare encrypted version against encrypted version.