How to locally store password in a text file and prevent user resetting password if they know the hashing algorithm?
Question
The goal:
- Store usernames, hash salt & hashed password in a text file
- Allow user to copy and paste the file to other computers that are running the same application
- Catch if a user edits the text file and replaces the hashed password, effectively resetting a password to whatever they want, for any user.
The problem: If I store usernames, hash salt & hashed password a user can reset the password assuming they know the hashing algorithm. I could add an extra step, like hash(password, salt, "X") where "X" is just a constant value getting added to the password and salt. This value "X" could be hardcoded into the application. However, this is security through obscurity, which is "fine" until this "custom" hashing algorithm is figured out / exposed.
Is there a way to accomplish these goals even if the users knew the hashing algorithms being used?
It sounds like a use case for a private key that must be kept secret, but are there other options?
This was a great Q&A but it doesn't have a solution for moving files: How to securely save username/password (local)?
1 answers
solution1
1 2022-11-16 21:43:22
I would look into digitally signing the file.
If you have access to something like AES crypto suite it would be fairly easy to generate a privKey/pubKey pair and sign your password file to ensure it is not tampered with, you would of course need to resign the file anytime legitimate changes are made to it.
I should mention using the private key to sign inside the application means the key to a certain extent is vulnerable to being extracted by users. You need to decide for yourself how secure your system needs to be.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.