Reading in Encrypted Username/Password

Question

I am in the process of developing a console application that acts as a Diary. At this stage I am developing the login authentication and have hit a bit of a wall! As I will be dealing with text files for both my login and diary storage, I would like to encrypt these text files from prying eyes.

Now, the problem is I do not know how to go about the decrypt >> check user&&pass >> encrypt again.

Would it be along these lines?:

• Program Loads

• Decrypt passwords.txt

• If at any point the program closes, encryptFile() is ran.

• Validate user entry

• Encrypt passwords.txt

If I am along the right lines how do I go about implementing this? I searched for encryption tutorials for text files using c++ and they were not very helpful.

Here is my butchered beginner password.txt code, where shall I go from here? If there is an encryption tutorial/article you recommend that I missed please post it!

void checkPasswordFile() {

string username;
string password;
string passwordAgain;

string userIn;
string passIn;
string line;

ifstream passwordFile("passwords.txt");
istringstream instream;


if (passwordFile.good()) {


    cout << "\t==================================" << endl;
    cout << "\t----------------------------------" << endl;
    cout << "\tYou are a returning user, please fill in your details" << endl;




    while(!passwordFile.eof()) {
        getline(passwordFile, line);
        instream.clear();
        instream.str(line);
        username = line;

        getline(passwordFile, line);
        instream.clear();
        instream.str(line);
        password = line;
    }


    do {
        cout << "Username: " << endl;
        cin >> userIn;
        cout << "Password: " << endl;
        cin >> passIn;


        if (userIn == username && passIn == password) {

            displayMenu();

        } else {

            cout << "Username and Password Do Not Match, Try Again" << endl;
        }

    } while(userIn != username && passIn != password);


} else {
    cout << "file no exist";


    ofstream passwordFile;
    passwordFile.open ("passwords.txt", ios:: in | ios::app);

    cout << "\t==================================" << endl;
    cout << "\t----------------------------------" << endl;
    cout << "\tThis is your first run, please enter a username and password" << endl;
    cout << "\tUsername: " << endl;
    cin >> username;
    cout << "\tPassword: " << endl;
    cin >> password;

    /*
    Do Loop:
    Prompts Re-Entry if PasswordAgain is not equal to Password
    */
    do {

        cout << "Re-Type Password: ";
        cin >> passwordAgain;

        if(password != passwordAgain) {
            cout << "Passwords Do Not Match! Try Again" << endl;
        }
    } while(password != passwordAgain);


    passwordFile << username << "\n";
    passwordFile << password;
   }

}

Thank you very much for your time.

p.s for the life of me I cannot find out how to do:

Username:[cin>>username] on the same console line, sorry for doubling up but didn't deem it a big enough question for its own post! Thanks.

EDIT:

I have succesfully been able to decrypt the username and pass when created and stored in the text file. Then when the user comes back, what they entered is encrypted and compared with the file.

Problem being this only works for short words, user pass works, but username and password does not... any ideas why? Here is my encryption code:

 char encryptKey = 'h';
        cout << "\tUsername: ";
        cin >> userIn;
        cout << "\tPassword: ";
        cin >> passIn;

        for (int i = 0; i < userIn.size(); i++) {
            userIn[i] ^= encryptKey;
        }
        for (int x = 0; x < passIn.size(); x++) {
            passIn[x] ^= encryptKey;
        }

        if (userIn == username && passIn == password) {

            displayMenu();

        } else {

            cout << "\tUsername and Password Do Not Match, Try Again" << endl;
        }

Answer 1

The right thing to is not to encrypt the passwords file - the issue is that the encryption key for the file would need to be stored somewhere that the program can access it, which would make it relatively easy to find and abuse.

Instead, you should be using password hashing (using a strong hash algorithm like SHA1). A hash algorithm is a algorithm that deterministically maps a piece of text onto a large number (called its hash), and is designed to be irreversible without great effort. The basic concept is that you take the password, use it to compute its hash, and then store that hash. Later, when the user enters the password to log in, you compute its hash again and compare the resulting hash to the stored hash. Even if someone gains access to the hashes, they do not obtain the password, which is important, because people often share passwords between applications. Don't implement your own SHA1 hash - see "What is the best encryption library in C/C++?" for a list of libraries.

You must also use salting and key stretching to defend against common brute force attacks.