Password hasher and encrypter, keep your Bitcoins safe!

[matt_boyd]

Hey BTCitcointalk,

Contextual information:

So basically I got into bitcoins maybe two or so months ago and have been interested ever since. Due to the surge in traffic to Bitcoins, people were getting their accounts hacked due to not having very safe passwords.

At this moment in time I am trying to get into programming and so for my first project I decided to make a password hasher, that seems to work fine and is on Github: https://github.com/matt-boyd/password_hasher. Then someone pointed out to me that I should put encryption onto the hashed password and so  Iimplemented this feature today. Here is the repository for the project: https://github.com/matt-boyd/hasher_and_encrypter. I hope that this can come in useful and you can inspect the code in the "hashing.py" file.

Thanks for reading, Matt.

NB
Due to this project being open-source, if you feel like donating, here is my bitcoin wallet: 169iA76RmnatFXmEthT6AEehxMQ9X1ro3L

[Remember remember the 5th of November]

And again Python...tbh I am rather tired of Bitcoiners constantly writing stuff in Python.

inb4 then don't use it. But it's true imho.

[matt_boyd]

Sorry about that, my reasoning would be that I am relatively new to the whole "programming" thing and Python was nice to start with...

Would you prefer that I wrote it in another language? If so tell me and I shall try my best!

[deepceleron]

I'm trying to understand how you expect people to use this. You say:

So basically I got into bitcoins maybe two or so months ago and have been interested ever since. Due to the surge in traffic to Bitcoins, people were getting their accounts hacked due to not having very safe passwords.

I counter that people are more likely to have their passwords or bitcoins stolen by running arbitrary code posted on the forum by noobs as their first post out of newbie jail, or especially .exe's claiming to be made from that code but which can't be replicated.

Hashing doesn't make a password or the resulting hash any more secure, and you certainly can't memorize a hash result. You can calculate a hash using Javascript in your web browser if you desired to do so.

Where is the encryption? You don't seem to know that cryptographic hashes are not encryption.
All I see is exes and dlls and no python.

[matt_boyd]

Right so,

especially .exe's claiming to be made from that code but which can't be replicated.

Feel free to take the code from hashing.py and the code from setup.py and run it using the py2exe module and make sure you have all the other modules in there, you will see that the code replicates perfectly.

Hashing doesn't make a password or the resulting hash any more secure

Yes, I know that is why there is a new one that has encryption with it. The hashing is more to prevent against easy brute-forcing attacks which seems to be quite common in the Bitcoin community.

Hope that helps out a little more,


Matt.

[deepceleron]

Right so,

especially .exe's claiming to be made from that code but which can't be replicated.

Feel free to take the code from hashing.py and the code from setup.py and run it using the py2exe module and make sure you have all the other modules in there, you will see that the code replicates perfectly.

Hashing doesn't make a password or the resulting hash any more secure

Yes, I know that is why there is a new one that has encryption with it. The hashing is more to prevent against easy brute-forcing attacks which seems to be quite common in the Bitcoin community.

Hope that helps out a little more,


Matt.

No .py here: https://github.com/matt-boyd/hasher_and_encrypter

What's being encrypted? What encryption algorithm is being used? etc? Hash algorithms are used as a way to non-reversibly store passwords, they are what is brute-forced when a site has their password list stolen.

I suggest you look at KeePass, http://keepass.info/features.html, which actually does create and store securely random passwords.

[matt_boyd]

Wow, sorry about that, didn't even see that I hadn't uploaded them, here is the link.

https://github.com/matt-boyd/hasher_and_encrypter

[mr-sk]

Still can't trust the source and the compiled binaries are 1:1 ... would have to compile and then check that the binaries match before I would run your stuff ... not sure novice programmers should do anything related to encryption, IMO.

If you really want to get into encryption, read, re-read and fully understand: http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099

Again, novice (and experienced) programmers should NOT try to RELEASE encryption related ANYTHING. Too many mistakes have been made ... just look at the recent cryptocat debacle: http://paranoia.dubfire.net/2012/07/tech-journalists-stop-hyping-unproven.html

... http://diovo.com/2009/02/wrote-your-own-encryption-algorithm-duh/ .. so many to read ....

[grue]

What's the point of this when you can use keepass? Better yet, why use this script when you can use shasum?