How to store password as hashes and then authenticate the user without even knowing the password in plaintext?

Question

I am creating a desktop application that uses face as the password. Until now, I have been able to identify people and then authenticate them based on their faces.

What the application does is:

If a person is enrolled and presents his face in front of the web camera, the application identifies the person and automatically opens a website, fills the username and password textboxes, and automatically logs into the account associated with that face. So, the user doesn't even need to type his password.

Now, the main problem is, at the time of enrolment, the user has to present his face along with his/her username and password for the account. I am storing the username and password in the database. I want to be able to store the password in hashed form. Now, since the password is stored in sha1 form, the actual password is unknown and when the user presents his face, the password is automatically filled in by the data stored in the database. If the hashed password gets entered into the password textbox, the password will be flagged as "wrong password" by the website as they expect password to be in plaintext.

Is there any way to store the user passwords? Because storing it in plain-text doesn't seem to a good idea. Anyone with access to the database can see all the passwords for all the users. Although, if I store it in plaintext, the application will work fine since the password will be filled in plaintext automatically!

Also, let me know If there's a way to send the password to the server in hashed form and still get authenticated.

You could store it encrypted with AES. In your application, you could decrypt it and use it. — Fᴀʀʜᴀɴ Aɴᴀᴍ, Oct 17 '15 at 08:38
Why does the website use username & password if the users are recognized with face instead? — James Z, Oct 17 '15 at 09:05
Possible duplicate of [Is it safe for me to store usernames and passwords in the database?](http://stackoverflow.com/questions/31146658/is-it-safe-for-me-to-store-usernames-and-passwords-in-the-database) — Ňɏssa Pøngjǣrdenlarp, Oct 17 '15 at 13:37
@farhan No, the server is not mine where I am sending the password. So, I don't have access to it's code. If I had the acces I could have changed the code to accept the password in hashed format and then comparing it with the hashed value stored in the DB. — Dipojjal, Oct 17 '15 at 13:54
since the server is not yours you will have to use your own encryption/decryption. — Fᴀʀʜᴀɴ Aɴᴀᴍ, Oct 17 '15 at 14:44

mevdschee · Answer 1 · 2015-10-17T20:14:38.300

4

The common pattern is this: The password is sent to the server in plain text and the server hashes it before comparing it with the hashed password in the database.

Note that you may not want to use SHA1 for that and also read up on the usage of salt.

I only found one library suitable for vb.net: http://bcrypt.codeplex.com/

Edit: Please see whether or not you can send the hash instead of the real password, since storing encrypted passwords is not much better than plain text passwords. Where do you store the key(s)?

edited Oct 17 '15 at 20:14

answered Oct 17 '15 at 08:39

mevdschee

1,625
19
16

https://en.wikipedia.org/wiki/Blowfish_(cipher)#Weakness_and_successors Blowfish is more vulnerable than AES. However your answer is very good. +1 – Fᴀʀʜᴀɴ Aɴᴀᴍ Oct 17 '15 at 09:45
@mevdscnee Where does 'two-way' Encryption come from? The passwords should be in the database in AES Encrypted form. To use it after retrieval, you have to decrypt it. that's it. You rule out SHA1 here. – Fᴀʀʜᴀɴ Aɴᴀᴍ Oct 17 '15 at 20:13
@FarhanAnam sorry about that.. I misunderstood you. – mevdschee Oct 17 '15 at 20:15
yes storing the key is the main thing. but still it's better to store encrypted passwords. Someone can get the password database more easily than the key in the application. – Fᴀʀʜᴀɴ Aɴᴀᴍ Oct 17 '15 at 20:16
@FarhanAnam It seems the OP is not aware of security or ethical issues. One should never take (unnecessary) risks that user's passwords leak when the server gets hacked. It is immoral behavior in my book. It's a pity that your answer (and comments) do not reflect that. – mevdschee Oct 17 '15 at 20:32
@mevdschee I am not using SHA-1 becase I cannot retrieve the password once hashed, and, for the current situation, there seems to be no idea other than decrypting the password back to plaintext before sending it to the server, where it will be hashed again and then compared to the hash of the password. I've decided using AES and It's working great as of now. – Dipojjal Oct 18 '15 at 03:51
@mevdschee I'm glad they don't. – Fᴀʀʜᴀɴ Aɴᴀᴍ Oct 18 '15 at 09:34
@Dip You seem to miss the point. Let me put it a little more harsh and direct: Your users will re-use the password they have chosen on other services and you will actually store it in a retrievable manner. Your server will get hacked and all the passwords will be posted on the Internet. Real people's identities will be stolen, people will suffer huge damages. That is (partly) your fault. TL;DR Good security practices are not for you, but for your users. – mevdschee Oct 18 '15 at 12:49
@mevdschee I understand your point that's why I'm using AES for the encryption. The passwords will be stored in AES encrypted form. I don't want to compromise with user security that's why I asked the question and really thank everyone for coming up with an idea that's perfect for my scenario. Also, I'm using encryption with salting. Now my passwords seem to be protected even in the case of server hacks. – Dipojjal Oct 19 '15 at 02:09
@Dip I'm still not convinced you understood my point, but I'll leave it at this. Thank you for trying to understand. – mevdschee Oct 19 '15 at 19:56

score 1 · Answer 2 · edited May 23 '17 at 12:14

@Dip I think the question you are asking is a very common one and there is a lot of discussion and debate around it. I would advise you to first understand the various encryption / decryption algos used and the advantages / disadvantages of the same.

A quick google search and I found the following useful links to help you pick your algorithm Best algorithm to Encrypting / Decrypting a string & Key storage method http://homepages.uel.ac.uk/u0430614/Encryption%20index.htm

Once you have choosen the algorithm that works for your needs then start looking for libraries that implement that algorithm in vb.net

score 1 · Accepted Answer · answered Oct 17 '15 at 09:23

You should use these steps:

Store passwords in AES Encrpytion -> In your app, retrieve the password and decrypt it -> Recognize face -> Open Website -> Then input Username and decrypted passwords -> Log In -> Other Stuff..
You can use this AES module for encryption and decryption:

Imports System.Collections.Generic
Imports System.IO
Imports System.Linq
Imports System.Security.Cryptography
Imports System.Text
Imports System.Threading.Tasks

Public Module AES
    Public Function AES_Encrypt(bytesToBeEncrypted As Byte(), passwordBytes As Byte()) As Byte()
        Dim encryptedBytes As Byte() = Nothing

    ' Set your salt here, change it to meet your flavor:
    ' The salt bytes must be at least 8 bytes.
        Dim saltBytes As Byte() = New Byte() {1, 2, 3, 4, 5, 6, _
        7, 8}

    Using ms As New MemoryStream()
        Using AES As New RijndaelManaged()
            AES.KeySize = 256
            AES.BlockSize = 128

            Dim key = New Rfc2898DeriveBytes(passwordBytes, saltBytes, 1000)
            AES.Key = key.GetBytes(AES.KeySize / 8)
            AES.IV = key.GetBytes(AES.BlockSize / 8)

            AES.Mode = CipherMode.CBC

            Using cs = New CryptoStream(ms, AES.CreateEncryptor(), CryptoStreamMode.Write)
                cs.Write(bytesToBeEncrypted, 0, bytesToBeEncrypted.Length)
                cs.Close()
            End Using
            encryptedBytes = ms.ToArray()
        End Using
    End Using

    Return encryptedBytes
End Function
Public Function AES_Decrypt(bytesToBeDecrypted As Byte(), passwordBytes As Byte()) As Byte()
    Dim decryptedBytes As Byte() = Nothing

    ' Set your salt here, change it to meet your flavor:
    ' The salt bytes must be at least 8 bytes.
    Dim saltBytes As Byte() = New Byte() {1, 2, 3, 4, 5, 6, _
        7, 8}

    Using ms As New MemoryStream()
        Using AES As New RijndaelManaged()
            AES.KeySize = 256
            AES.BlockSize = 128

            Dim key = New Rfc2898DeriveBytes(passwordBytes, saltBytes, 1000)
            AES.Key = key.GetBytes(AES.KeySize / 8)
            AES.IV = key.GetBytes(AES.BlockSize / 8)

            AES.Mode = CipherMode.CBC

            Using cs = New CryptoStream(ms, AES.CreateDecryptor(), CryptoStreamMode.Write)
                cs.Write(bytesToBeDecrypted, 0, bytesToBeDecrypted.Length)
                cs.Close()
            End Using
            decryptedBytes = ms.ToArray()
        End Using
    End Using

    Return decryptedBytes
End Function
End Module

Note that the functions take byte arrays as their arguments and also return byte arrays. You can get a byte array from a string by using System.Text.Encoding.UTF8.GetBytes("string") and a string from a byte array using System.Text.Encoding.UTF8.GetString(bytes). You can change UTF8 if necessary.

Thanks, your solution helped a lot. Also I'm using the same workflow you mentioned here and it works great. — Dipojjal, Oct 18 '15 at 03:38

How to store password as hashes and then authenticate the user without even knowing the password in plaintext?

3 Answers3