Results 1 to 24 of 24

Thread: Password Protection

  1. #1

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Password Protection

    Protecting passwords is not a simple task. For material that is not highly sensitive, it is enough just to make it difficult for the hacker. That involves using passwords at least 8 characters in length and using a variety of characters (upper, lower, and special characters). The more characters used, the more difficult it is to guess. I have operated a fake mail server for many years, and I still get more than 200 attempts a day to guess the UserId/passwords, even though there are no actual accounts.

    Using encryption helps with more sensitive material, but it does nothing to stop password guessing. Even temporarily suspending an account if too many attempts are made does not prevent password guessing. The hacker simply spreads out those guesses over time.

    Any time a key or password is stored on a system, it is vulnerable no matter what extremes are used to try and protect it. Forward secrecy helps protect against key theft because the keys are not stored, and passwords should always be stored encrypted or hashed.

    Then there is the problem of man-in-the-middle. Even with encryption, it does not take a lot of computer power to figure out the key used to encrypt short passwords. The best defense against that is to use Forward Secrecy, so that even if the hacker is able to figure it out for one session, the key is different for the next session. Even better yet would be to use a different password for every connection, encrypted or not. That is what I have attempted to do in this post.

    The principle used in this program is to shuffle the password on each and every connection. To enable authentication of the password, one end must be able to un-shuffle the password, and this is accomplished by using a Seed. In this case, the Seed is calculated from the previous password. This is similar to the way the Visual Basic Rnd function works. Even though it is not truly random, the hacker does not know where in the cycle the client and server are at. Even if the hacker is able to determine the current password and establish a connection, the real client will be alerted on the next connection attempt, and take corrective action. This is the same principle used in Forward Secrecy, except that in this case the user is notified of the intrusion.

    To demonstrate this technique, I am using the PicServer program previously posted, along with 2 special Web pages and a JavaScript file. In this case, I have chosen to manually enter the UserID into the database in order to control who can access the files. The user can then add the password. I needed a unique value in the browser, so I used a Time/Date stamp at the same time as the password cookie is entered. The password that the user enters is then used to calculate the Seed to shuffle the Time/Date stamp, thus forming the originating Password. The originating Password is then sent to the server, and the password cookie in the browser is updated. When the browser attempts a new connection, the UserID and Password cookies are sent to the server in the Get request. The server un-shuffles the Password cookie using the stored Password as the Seed, and compares it to the Password in it's own database. If successful, the stored Password as well as the browser Password cookie are updated. The effect is that the stored Password in the server is always one step behind the browser Password cookie.

    Using this technique, the user only has to login once. Thereafter, the authorization is automatic on every connection. I am using HTTP 1.1, which allows a connection to be maintained as long as there is traffic. That timeout varies with the browser, and I have yet to establish a timeout for the server. To reset the password, one only has to delete the Password cookie.

    To prevent the user from directly accessing the JavaScript files, they have been hidden. To further restrict access, those files may have to be moved to a hidden directory.

    If you think about it, this technique permits access from a specific browser. If you use a different browser or a different computer, it will require a different UserID.

    This program should be considered a work in progress, and eventually will be converted to run as a service. It has only been tested it on 2 different FireFox browsers I have at my disposal. Constructive feedback is welcome.

    Currently, access information (including the IP address) is displayed in the text box. and will be re-routed to a log file when it becomes a service. Setup instructions can be found in the Readme file.

    J.A. Coutts

    Edited: 01/05/2022 - see post 19 for details
    Updated: 02/10/2022 - see post 22 for details
    Attached Files Attached Files
    Last edited by couttsj; Feb 12th, 2022 at 06:05 PM.

  2. #2
    Addicted Member jg.sa's Avatar
    Join Date
    Nov 2017
    Location
    South Australia ( SA )
    Posts
    198

    Re: Password Protection

    G'Day JAC

    I really like your idea here, but I had a make a couple of changes to 'test' the concept.

    Private Sub UpdateList()

    ' FileName = "\ProgramData\PicSvc\users.db"
    FileName = ".\users.db"


    Private Sub UpdateDB()

    ' FileName = "\ProgramData\PicSvc\users.db"
    FileName = ".\users.db"

    ' BackName = "\ProgramData\PicSvc\users.bak"
    BackName = ".\users.bak"


    This is an app. that is screaming out for a remote socket DB and is why I have always wanted to establish a 'Data Bro' network which utilise what I have been calling 'Cloud Database' CD

  3. #3
    Hyperactive Member
    Join Date
    Jun 2016
    Location
    EspaƱa
    Posts
    506

    Re: Password Protection

    problems starting this version of picserver, the other one if it works.
    when closing gives error
    SimpleServer_CloseSck

    and other error solved like js.sa

  4. #4
    PowerPoster Elroy's Avatar
    Join Date
    Jun 2014
    Location
    Near Nashville TN
    Posts
    9,853

    Re: Password Protection

    Also, just some considerations about this. If done correctly, you've got to be careful to wipe all String variables containing a password before they're re-assigned or fall out of scope. If you don't, memory scrapers may get you. Even a sMyPassword = vbNullString isn't enough, as you never know what the memory manager is going to do. It might just somewhat abandon the old memory and give you more, letting garbage collection eventually recover it (but even then it's not necessarily blanked out).

    Code:
    
    Option Explicit
    '
    Public Declare Sub FillMemoryLong Lib "kernel32" Alias "RtlFillMemory" (ByVal pDest As Long, ByVal length As Long, Optional ByVal Fill As Byte)
    '
    
    Public Sub WipeString(ByRef s As String)
        If Len(s) Then
            FillMemoryLong StrPtr(s), LenB(s)
            s = vbNullString
        End If
    End Sub
    
    And, if I ever do show passwords on the screen, I don't show them as characters. Rather, I graphically print them:

    Code:
    
    Option Explicit
    '
    Public Declare Function TextOutW Lib "gdi32" (ByVal hDC As Long, ByVal x As Long, ByVal Y As Long, ByVal lpString As Long, ByVal nCount As Long) As Long
    '
    
    Public Sub ShowPassword(ByRef sRawPassword As String, ByRef hDcToPrintPassword As Long, Optional xLogical As Long, Optional yLogical As Long)
        ' Form or PictureBox should have AutoRedraw = True if that's what's used for hDC.
        TextOutW hDcToPrintPassword, xLogical, yLogical, StrPtr(sRawPassword), Len(sRawPassword)
    End Sub
    
    
    And, I'm not sure how you're doing it, but I'm always sure to hash and salt them, such that they're non-recoverable. The only way to match them is to hash and salt an incoming password and compare it to what's in the database.

    And then lastly, I have a custom user control for typing in the passwords. This UC doesn't keep the full password anywhere in memory except a string for immediate salting and hashing. It does not let it sit into a TextBox.Text property with VB6 doing who-knows-what with it.

    Here that UC is (in full). Just paste it into Notepad and then save as a CTL file, and then include in your project if you wish to use it.

    Code:
    
    VERSION 5.00
    Begin VB.UserControl TextPassword
       ClientHeight    =   3600
       ClientLeft      =   0
       ClientTop       =   0
       ClientWidth     =   4800
       ClipControls    =   0   'False
       BeginProperty Font
          Name            =   "Microsoft Sans Serif"
          Size            =   9.75
          Charset         =   0
          Weight          =   400
          Underline       =   0   'False
          Italic          =   0   'False
          Strikethrough   =   0   'False
       EndProperty
       HasDC           =   0   'False
       ScaleHeight     =   3600
       ScaleWidth      =   4800
       Begin VB.TextBox txt
          Height          =   495
          Left            =   1080
          TabIndex        =   0
          Top             =   840
          Width           =   1755
       End
    End
    Attribute VB_Name = "TextPassword"
    Attribute VB_GlobalNameSpace = False
    Attribute VB_Creatable = True
    Attribute VB_PredeclaredId = False
    Attribute VB_Exposed = False
    Option Explicit
    '
    Const MaxLength As Long = 20&
    Dim sText As String                 ' This will contain the critical text which must be cleared from memory.
    Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (ByRef Dest As Any, ByRef Source As Any, ByVal Bytes As Long)
    '
    
    ' *******************************
    ' *******************************
    '
    ' Just a couple of public procedures.
    '
    ' *******************************
    ' *******************************
    
    Public Sub ClearText(Optional bClearTextbox As Boolean = True)
        ' Probably no need to externally call this, as it's called in the following code.
        Mid$(sText, 1&, 20&) = Space$(20&)
        If bClearTextbox Then txt.Text = vbNullString
    End Sub
    
    Public Sub CopyText(ByRef sTextCopy As String)
        ' It will be copied into the supplied string variable.
        ' If sTextCopy doesn't come in empty, it will be carefully erased.
        '
        Dim i As Long
        Dim j As Long
        '
        WipeString sTextCopy
        i = InStr(sText, Space$(1&))
        Select Case i
        Case 1&         ' The first character is a space, so we've got nothing.
            '
        Case 0&         ' There are no spaces, so the text is MaxLength long.
            sTextCopy = sText
        Case Else       ' We've got text, but it's shorter than MaxLength.
            '
            ' We've got to be careful to not make any extra copies of sText, not using Mid$() or Trim$().
            i = i - 1&  ' Don't take the space we found.
            sTextCopy = Space$(i)
            CopyMemory ByVal StrPtr(sTextCopy), ByVal StrPtr(sText), i * 2& ' Unicode.
        End Select
        '
        ' Be SURE to clear the memory of sTextCopy when done with it.
        '
    End Sub
    
    ' *******************************
    ' *******************************
    '
    ' UserControl properties & events.
    '
    ' *******************************
    ' *******************************
    
    Public Property Get BackColor() As OLE_COLOR
        BackColor = txt.BackColor
    End Property
    
    Public Property Let BackColor(ByVal New_BackColor As OLE_COLOR)
        txt.BackColor = New_BackColor
        PropertyChanged "BackColor"
    End Property
    
    Public Property Get Borderstyle() As Integer
        Borderstyle = txt.Borderstyle
    End Property
    
    Public Property Let Borderstyle(ByVal New_Borderstyle As Integer)
        If New_Borderstyle <> 0 And New_Borderstyle <> 1 Then New_Borderstyle = 1
        txt.Borderstyle = New_Borderstyle
        PropertyChanged "Borderstyle"
    End Property
    
    Public Property Get Font() As StdFont
        Set Font = txt.Font
    End Property
    
    Public Property Set Font(ByVal New_Font As StdFont)
        Set txt.Font = New_Font
        PropertyChanged "Font"
    End Property
    
    Public Property Get FontColor() As OLE_COLOR
        FontColor = txt.ForeColor
    End Property
    
    Public Property Let FontColor(ByVal New_FontColor As OLE_COLOR)
        txt.ForeColor = New_FontColor
        PropertyChanged "FontColor"
    End Property
    
    Private Sub UserControl_ReadProperties(PropBag As PropertyBag)
        txt.BackColor = PropBag.ReadProperty("BackColor", &H80000005)
        txt.Borderstyle = PropBag.ReadProperty("Borderstyle", 0&)
        Set txt.Font = PropBag.ReadProperty("Font", txt.Parent.Font)
        txt.ForeColor = PropBag.ReadProperty("FontColor", &H80000008)
    End Sub
    
    Private Sub UserControl_WriteProperties(PropBag As PropertyBag)
        PropBag.WriteProperty "BackColor", txt.BackColor
        PropBag.WriteProperty "Borderstyle", txt.Borderstyle
        PropBag.WriteProperty "Font", txt.Font
        PropBag.WriteProperty "FontColor", txt.ForeColor
    End Sub
    
    Private Sub UserControl_Initialize()
        sText = Space$(20&)
        txt.Text = vbNullString
        PositionTextbox
    End Sub
    
    Private Sub UserControl_Terminate()
        ClearText False     ' We don't clear txt.Text here because the txt object may already be gone.
    End Sub
    
    Private Sub UserControl_Resize()
        PositionTextbox
    End Sub
    
    Private Sub PositionTextbox()
        Static bRecursion As Boolean
        If bRecursion Then Exit Sub
        '
        bRecursion = True
        txt.Top = 0&
        txt.Left = 0&
        txt.Height = Height
        Height = txt.Height     ' txt may resize to a minimum height, so the control must also.
        txt.Width = Width
        Width = txt.Width       ' txt may resize to a minimum width, so the control must also.
        bRecursion = False
    End Sub
    
    ' *******************************
    ' *******************************
    '
    ' TextBox event handling.
    '
    ' *******************************
    ' *******************************
    
    Private Sub txt_KeyDown(KeyCode As Integer, Shift As Integer)
        Select Case KeyCode
        Case 35, 38, 38, 40     ' Disallowed keys.
            KeyCode = 0
        Case 8, 37              ' Backspace, LeftArrow.
            If Len(txt.Text) Then
                Select Case True
                Case txt.SelLength:                   ClearText     ' No string cutting allowed.
                Case txt.SelStart <> Len(txt.Text):   ClearText     ' No middle deletion allowed.
                Case Else
                    Mid$(sText, Len(txt.Text), 1&) = Space$(1&)
                    txt.Text = String$(Len(txt.Text) - 1&, "*")
                    txt.SelStart = Len(txt.Text)
                End Select
            End If
            KeyCode = 0
        Case 46, 36             ' Delete, Home.
            ClearText
            KeyCode = 0
        End Select
    End Sub
    
    Private Sub txt_KeyPress(KeyAscii As Integer)
        If txt.SelLength Then ClearText                             ' No string cutting allowed.
        If txt.SelStart <> Len(txt.Text) Then ClearText             ' No middle insertion allowed.
        '
        If ValidAscii(KeyAscii) Then
            Mid$(sText, txt.SelStart + 1&, 1&) = Chr$(KeyAscii)     ' Insert without creating new string.
            txt.Text = txt.Text & "*"
            txt.SelStart = Len(txt.Text)
        End If
        KeyAscii = 0
    End Sub
    
    Private Function ValidAscii(KeyAscii As Integer) As Boolean
        Const sSpecial  As String = "()!""#$%&'+,-./:;<?>@[]\^_{}|~`="
        '
        If Len(txt.Text) >= MaxLength Then Exit Function  ' Nothing allowed when at MaxLength.
        ValidAscii = True
        Select Case True
        Case KeyAscii >= 48 And KeyAscii <= 57      ' Number digits.
        Case KeyAscii >= 65 And KeyAscii <= 90      ' Upper case.
        Case KeyAscii >= 97 And KeyAscii <= 122     ' Lower case.
        Case InStr(sSpecial, Chr$(KeyAscii))
        Case Else: ValidAscii = False
        End Select
    End Function
    
    
    
    By the way, that UC does make a call to WipeString, so you'll need that in your project.
    Last edited by Elroy; Nov 27th, 2021 at 05:38 PM.
    Any software I post in these forums written by me is provided "AS IS" without warranty of any kind, expressed or implied, and permission is hereby granted, free of charge and without restriction, to any person obtaining a copy. To all, peace and happiness.

  5. #5
    Addicted Member jg.sa's Avatar
    Join Date
    Nov 2017
    Location
    South Australia ( SA )
    Posts
    198

    Re: Password Protection

    W O W

    ppl are really interested in this. good 1 JAC for getting the ball rolling

    I have seen apps. used in gov.xx were the users doesn't actually know their own 'password'

    The 1st time you hear this you are like W H A T T H E F x x K !!!!

    Yes, they are provided with a graphic containing stega text which is actually a seed file for crypto so not your standard pwd. approach

    Its all in the design

  6. #6

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: Password Protection

    Quote Originally Posted by yokesee View Post
    problems starting this version of picserver, the other one if it works.
    when closing gives error
    SimpleServer_CloseSck
    There was a problem with the original version of PicServer that was resolved in the service version, and I believe you are using a modified version of the original. The best way to resolve this is to change all the HTTP/1.0 to HTTP/1.1. Theoretically, HTTP/1.0 will work with a header entry of "Connection: keep-alive", but that is the default for HTTP/1.1, and all modern browsers support HTTP/1.1. This will allow for a connection to be maintained until either the Client or the server closes the connection on an inactivity timeout.

    Next, change the line in SimpleServer_SendComplete:
    SimpleServer_CloseSck Index 'All data sent
    to
    CInfo(Index).TotalSent = 0

    This will prevent PicServer from closing the socket, and will rely on the browser inactivity timeout to close the socket.

    J.A. Coutts

  7. #7

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: Password Protection

    What you need to remember about this system is that all the precautions that were necessary with static passwords are no longer needed. If there is no network activity for 2 minutes on Firefox, it closes the connection. The password can change several times within the same session. It no longer has to be protected with cryptography, and is quite suitable for standard HTTP. Hence there is no problem sending the UserID/Password as cookies.

    Also, to run the program as a service, directories and registry entries will have to be in areas accessible with system privileges. That is why I used the "ProgramData" directory for the database. There is no need to encrypt the database either. You may have noticed that the PWMaint program displays the passwords in Hex format, as I borrowed it from one of my other programs that used static passwords.

    Of course, the same principles could be used with HTTPS. I simply found that transferring large image files was quite slow using TLS.

    J.A. Coutts

  8. #8
    Addicted Member jg.sa's Avatar
    Join Date
    Nov 2017
    Location
    South Australia ( SA )
    Posts
    198

    Re: Password Protection

    G'Day JAC

    I really like your idea here and were I think you could be headed with this in the future

    Quote Originally Posted by couttsj View Post
    What you need to remember about this system is that all the precautions that were necessary with static passwords are no longer needed. If there is no network activity for 2 minutes on Firefox, it closes the connection. The password can change several times within the same session. It no longer has to be protected with cryptography, and is quite suitable for standard HTTP. Hence there is no problem sending the UserID/Password as cookies.
    When I talk about Stega the implementation is to have many many 10Ks of images movies ( files ) that contain fragments of authentication items on a USB or in your case it could be on a PicServer, but of course the agent will not know any of these 'Pwds' due to them being spread across so many files.

    They are trained and encouraged to add images, but are not permitted to delete any. Who deletes family happy snaps after all ???

    I have even seen the granularity of checking for alt. dat streams ( ADS ) https://www.ntfs.com/quest22.htm and archive bits on nominated files so it can become very complex very quickly and analysising the traffic is never going to work, because it changes like you are suggesting.

    Stega has come into its own now that IOT is pouring image files in the billions onto the WAN and these small files can be transferred so quickly !!!

  9. #9
    PowerPoster wqweto's Avatar
    Join Date
    May 2011
    Location
    Sofia, Bulgaria
    Posts
    5,120

    Re: Password Protection

    https://en.wikipedia.org/wiki/Block_...e_of_operation

    Can you find which mode listed above your password scheme implements? Looks like CBC but you're mangling the key somehow so not sure if it matches your mode of operations exactly.

    Overall I'm not convinced in the crypto strength of the whole "seed" shenanigans -- seems very weak.

    cheers,
    </wqw>

  10. #10

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: Password Protection

    Quote Originally Posted by wqweto View Post
    https://en.wikipedia.org/wiki/Block_...e_of_operation

    Can you find which mode listed above your password scheme implements? Looks like CBC but you're mangling the key somehow so not sure if it matches your mode of operations exactly.

    Overall I'm not convinced in the crypto strength of the whole "seed" shenanigans -- seems very weak.

    cheers,
    </wqw>
    Although there are some similarities, this is not cryptography. The closest thing I can find is the Rnd function in VB.
    ---------------------------
    For any given initial seed, the same number sequence is generated because each successive call to the Rnd function uses the previous number as a seed for the next number in the sequence.
    ---------------------------

    I started with the Fisher-Yates shuffle, which was easy to implement in VB6. I found an implementation in JavaScript, but it was long and complex. I found another unnamed shuffle in JavaScript that was similar but more concise, and I had little trouble duplicating it in VB6.

    The next problem was finding a unique value in the browser. It is not a simple task to access OS values with JS, and browsers operate on many different platforms, so I opted for saving a Date/Time stamp in Local Storage.

    I created the Seed by "XOR"ing the byte values in a sample byte string. I soon ran into problems with a very limited range of Seeds, and the eventual duplication of the shuffle. I was able to get a much broader range of Seeds by including a weighting factor of the index value of each character. I then created a program to test the theory. Using a 14 character byte string, I ran 2,032 shuffles and sorted the results. There were no duplications.

    The Date/Time stamp is 24 characters long, with a few duplications. Using a value of 20 different characters, there are 2.432902008E+18 possible permutations. To ensure that the starting password is unique, the Date/Time stamp is first shuffled using the password provided by the client as the Seed source.

    J.A. Coutts

  11. #11

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: Password Protection

    I think I have figured out a way to resolve the security issue with resetting the password. It requires the server operator to reset the user's password to a preset value. The user then clears the password cookie and connects to the server. The user is prompted to enter a password (any password with a minimum length of 8 characters), and if the password in the database matches the preset value, a new password cookie will be created and the database password updated. If not, the "401 Unauthorized" error will appear.

    I have not undated the download yet in case there is some feedback on this fix.

    J.A. Coutts

  12. #12
    Addicted Member jg.sa's Avatar
    Join Date
    Nov 2017
    Location
    South Australia ( SA )
    Posts
    198

    Re: Password Protection

    G'Day JAC

    There are two items in a login, you could always have an alias account name, so the account side of the login changes over time as well as the password eg "DD-AcctAlias-HH" etc. and this data struc. can be different for each account alias !!!

    As I see you are following the .au'en rule - Keep It Simple Son - which is what I tell my young bloke and keeping in mind this needs to be as easy as possible to Admin.

    It is a thumbs up from me.

    I won't spent to much time on stuff like this as once quantum computing QC gets up and going, passwords are going the way of dinosaurs.

  13. #13
    PowerPoster wqweto's Avatar
    Join Date
    May 2011
    Location
    Sofia, Bulgaria
    Posts
    5,120

    Re: Password Protection

    Quote Originally Posted by jg.sa View Post
    I won't spent to much time on stuff like this as once quantum computing QC gets up and going, passwords are going the way of dinosaurs.
    Not so fast -- of course there are post quantum algorithms for everything :-))

    @couttsj: Btw, there are RNGs based on hash functions (of HMACs) like the ones explained in NIST SP 800-90

    It's like feeding the initial password as IV/key into the hash function/HMAC/AES and then generating a stream of random "passwords" before needing to reseed at some point.

    cheers,
    </wqw>

  14. #14

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: Password Protection

    Quote Originally Posted by wqweto View Post
    @couttsj: Btw, there are RNGs based on hash functions (of HMACs) like the ones explained in NIST SP 800-90

    It's like feeding the initial password as IV/key into the hash function/HMAC/AES and then generating a stream of random "passwords" before needing to reseed at some point.

    cheers,
    </wqw>
    Initially, I had planned on using a hash function, but I wanted something that would work with HTTP, and crypto functions are only supported on HTTPS with most browsers. I did find an SHA-256 hash function in JavaScript, but again it was too long and complex for my liking.

    J.A. Coutts

  15. #15

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: Password Protection

    I ran into a problem using Edge on Windows 11. For reasons unknown, it does not store the Date/Time stamp in Local Storage when setting up the account. I am not that familiar with either Win 11 or Edge, and I am having a difficult time getting rid of all the advertising and popups, so any advice would be appreciated.

    Eventually, I gave up on using Edge and loaded FireFox c/w NoScript. That seems to be the only way to get rid of all the advertising, but I would still like to find out why Edge does not store the Date/Time stamp.

    J.A. Coutts

  16. #16
    PowerPoster wqweto's Avatar
    Join Date
    May 2011
    Location
    Sofia, Bulgaria
    Posts
    5,120

    Re: Password Protection

    As far as I understand Local Storage is a glorified sqlite database in all of the implementations but there is no date/time data-type in sqlite per se (only numeric and text data-types) so I'm not sure what could possible go wrong here.

    cheers,
    </wqw>

  17. #17

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: Password Protection

    Quote Originally Posted by wqweto View Post
    As far as I understand Local Storage is a glorified sqlite database in all of the implementations but there is no date/time data-type in sqlite per se (only numeric and text data-types) so I'm not sure what could possible go wrong here.

    cheers,
    </wqw>
    Sorry for the delay in responding, but other priorities got in the way. Using the modified code from w3schools below, I was able to narrow down the problem.
    Code:
    <!DOCTYPE html>
    <html>
    <head>
      <meta charset="utf-8">
    </head>
    <body>
    <h1>The Window Object</h1>
    <h2>The localStorage Property</h2>
    <p id="name"></p>
    <p id="result"></p>
    <script>
    // Check browser support
    if (typeof(Storage) !== "undefined") {
      oldname = localStorage.getItem("lastname");
      document.getElementById("name").innerHTML = "Stored Name is: " + oldname;
      // Set Item
      localStorage.setItem("lastname", "Jones");
      // Retrieve
      document.getElementById("result").innerHTML = "New Name is: " + localStorage.getItem("lastname");
    } else {
      document.getElementById("result").innerHTML = "Sorry, your browser does not support Web Storage...";
    }</script>
    </body>
    </html>
    There are 2 types of storage; localStorage and sessionStorage. Both are 8 bit text only (XML databases I believe). SessionStorage stores data for the current session only. localStorage is supposed to store data until it is cleared. Neither FireFox V95 or MS Edge V96 support File Load of JavaScript, so I had to run a version of PicServer on another machine in order to test it. FireFox displayed the localStorage value as "null" on the first pass, and "Jones" on the second pass. Restarting FireFox produced "Jones" on the first pass.

    When tested on Edge, "null" was displayed on the first pass, and "Jones" on the second pass. Restarting Edge produced "null" on the first pass.

    So it appears that Edge treats localStorage as if it were sessionStorage.

    J.A. Coutts
    Last edited by couttsj; Dec 25th, 2021 at 05:33 PM.

  18. #18

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: Password Protection

    After a lot of trial and error, I found an answer to the MS Edge problem. By default, Edge appears to clear cookies and other site data, even if you give your site specific permission to store cookies. The catch is that doesn't include other site data such as localStorage.

    From "Settings", click on "Privacy, search, and services". Then click on "Choose what to clear every time you close the browser". If "Cookies and other site data" is on, there is an opportunity to add sites that you don't want to clear. Using "[*.]yoursite.com" will include things like "www.".

    This page is also accessible from "Cookies and site permissions", "Manage and delete cookies and site data", by clicking on a link called "Clear browsing data on close".

    J.A. Coutts

  19. #19

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: Password Protection

    I had used the Date/Time stamp in localStorage because it was convenient and appeared to be universal. MS Edge proved that it was not universally applied. Upon further examination I found that it was not necessary to store it separately. I could create it at the same time as the password was entered and still maintain it's uniqueness. It is only used once.

    At the same time, the security flaw with resetting the password was fixed. It will only work if the password on the server has been reset to a preset value. The maintenance program has been modified to provide that function.

    MS Edge has also raised another problem which I am still working on. The default Inactivity Timeout is supposedly 1 hour, which is totally inadequate for this purpose. That makes the server timeout very necessary. The problem I am struggling with is that each connection must have it's own timer attached to the connection array element. What I also noticed with Edge is that it establishes a second connection about 3 seconds after the working connection. I am assuming that this is some kind of keep alive connection. It does not appear to cause any issues, as it disconnects at the same time as the working connection.

    I am still open as to what the server inactivity timeout should be.

    J.A. Coutts

  20. #20
    PowerPoster wqweto's Avatar
    Join Date
    May 2011
    Location
    Sofia, Bulgaria
    Posts
    5,120

    Re: Password Protection

    Can you setup a public web server/page that is password protected with this implementation? Let's test how hard it is to unprotect it.

    Usually simple login/pass *basic* authentication protected resources are quite hard to brute-force bordering inpractical unless an implementation flow is found.

    Let's see if this is better that plain-text basic HTTP authentication.

    cheers,
    </wqw>

  21. #21

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: Password Protection

    Quote Originally Posted by wqweto View Post
    Can you setup a public web server/page that is password protected with this implementation? Let's test how hard it is to unprotect it.

    Usually simple login/pass *basic* authentication protected resources are quite hard to brute-force bordering inpractical unless an implementation flow is found.

    Let's see if this is better that plain-text basic HTTP authentication.

    cheers,
    </wqw>
    No problem. My own server is too old to support this program, so I am using my desktop machine. It does not operate continuously, so you will have to let me know what hours to keep it running. Details are in a PM I sent you.

    J.A. Coutts

  22. #22

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: Password Protection

    This version uses password encryption instead of password shuffling. This permits a greater number of characters to be used, as well as twice as many values per character (255). Although 64 characters are shown, each pair represents a hex character. So there are really only 32 characters, representing 256 bit encryption.

    So far it has been tested on Firefox V56/V92/V97 and MS Edge V98. A problem was encountered with Edge during the login phase. It would update the password every time the "CONTINUE" page was passed through using the back/forward arrows without refreshing the page. This caused the browser password to be updated each time this occurred. Code was added to allow that script to be run once only per session. I have still not addressed the timeout issue with Edge, and I still do not know if there are any issues with Chrome and other browsers. Feedback would be appreciated.

    I also have a vulnerability issue that needs to be addressed. Because the encryption is based on a pseudo random technique, if a man-in-the-middle is able to trap 2 consecutive passwords, they can theoretically determine where in the encryption cycle the client is at and duplicate that cycle. The client will still be informed of any intrusion because only one side of the password will have been updated by the intruder. Ideas are welcome.

    J.A. Coutts

  23. #23

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: Password Protection

    My apologies. With the files being in 3 different places, I messed up the upload. Corrected version is now available.

    J.A. Coutts

  24. #24

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,470

    Re: Password Protection

    Wasn't sure where to put this post, but it is related.

    It looks like the online world is finally starting to recognize the lack of security presented by user defined passwords, as more and more companies are insisting on 2 step authentication, or by combining UserID and password into a passcode.

    I give a lot of the credit to CISA. Since Jan. 18 of this year, in response to the Russian invasion of Ukraine, CISA has been publishing cybersecurity threats instead of hiding them for their own use. Many of these threats pertain to servers, but a number of them relate to common browsers, including but not limited to Firefox, Google Chrome, IOS (Apple), and MS Edge. If you have seen a flurry of browser and OS updates recently, it is no accident. To get an idea of the magnitude of this campaign, see:
    https://www.cisa.gov/known-exploited...lities-catalog
    and click the down arrow next to "Date Added".

    J.A. Coutts

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width