Hi everybody,
I need to store password crypted on a database and then have the possibility to decrypt, by passing the crypted one, how can I do it?
Thanks,
Andrea
Depends on what kind of encryption you prefer but the standard library has packages like https://godoc.org/golang.org/x/crypto/bcrypt that have functions for what you’re looking to do.
Thanks for your reply, but I can’t find the method to decrypt a password previously crypted and stored somewhere. That’s what I need.
Thanks
I am not sure what your specific goal is–maybe you have a very good reason for the need of decrypting a password–but a fundamental rule of IT security is to never, ever store passwords in a decryptable way. If an attacker gets hold of the encryption key, they will be able to read all passwords from that database instantly.
Passwords should always be stored as a hash. Hash functions are one-way functions - it is easy and fast to get a hash value from a clear text but next to impossible to get the clear text back from the hash.
When it comes to validating a password entered by a user, the entered password is run through the same hash function, and if the two hashes are identical, the user is successfully authenticated.
Apologies if you know that already–as I already wrote, I don’t know the reasons behind storing the password encrypted rather than hashed–, but this thread will be read by many people, and I think it is important that readers know that the standard way of securely storing passwords is using a cryptographic hash function. (And ideally with some salt and pepper on top.)
3 Likes
The goal is to store the password of a company in a safe store, i was thinking on a database. The problem is that when the people need to connect to some machine via ssh, or other, they need to copy and paste the password, so, in some way, should be possible to store them in a crypted way and, when necessary, decrytp them.
In that case, you should encrypt and not hash the password. Use e.g. https://godoc.org/golang.org/x/crypto/nacl/secretbox
This sounds like you want to implement some kind of password manager similar to Keepass or 1Password, where users can store tons of passwords and encrypt the whole thing with one single master password, right?
Well, if the master password is then reasonably long and difficult to guess or crack, then this is a reasonable thing to do.
When I would have such a task on my list, I would start reading tons of books on cryptography and cryptanalysis, or even taking a good crypto course, simply out of fear that I might end up producing only snake oil security - something that looks good but hardly secures anything.
Yes, this is exactly the idea.
You’re complitely right, but also with Keepass someone could has the password to access to the file is not so safe, so which could be the best way to store password?
I can create a method to regenerate new keys every days and store it somewhere where only superuser can access and launch the procedure only by it and the request for the password by the users should be traced and allowed by logging.
What do you think?
Thanks in advance for your support.
That’s true, and the only way to make a Keepass database safe is to make the master password as long and as unguessable as possible.
I guess this works only as long as the superuser account is not compromised and the superuser is a trusted person.
But that’s only my $0.02, and I believe this is not helpful at all. After all, I am not a security expert (far from it! - just someone interested in that topic), so you might want to find a security forum somewhere, to get more helpful answers to your questions.
Keepass has the possibility to have a two factor authentification, even three factor if you’re on windows. (Multi-factor authentication - Wikipedia)
In Keepass, with your password, you can also have whatever secret file you like for the administrator to keep somewhere (like a usb key). Now to open the database, he needs both the file and the password.
If you manage carefully your file and your password, this is very secure.
If your use case is only for ssh, there are convenient solution to avoid repeatedly typing the password, namely ssh-agent (Pageant for windows)
Now, if you need a more complex solution, you could also use keepass and extends its functionnalities as it has a complete plugin framework. Now if you want a go interface, here it is (I never used it however)
This solution has the advantage to narrow down the possible security issues.
But I agree with @chrisophberger on that, you should get some help from security professional out there…
What I did was use the OpenSSL package. Reason is that others outside of Go needed to decrypt the password so this created a library everyone could use. I did try the built in ones first but the NodeJS guys couldn’t decrypt it so we went with this.
This can also be decrypted using openssl from the command line but you have to know the passphrase in order to do so. If you keep the passphrase as something compiled in to the
Two functions, one to encrypt the other to decrypt. In my case I wrote this to a file, you could take the encrypted string and put it in a db just as easy.
func EncryptStr(plaintext, passphrase string) string {
o := openssl.New()
enc, err := o.EncryptString(passphrase, plaintext)
errorHandle(err, "Encrypt String ")
encStr := string(enc)
return encStr
}
func DecryptStr(passphrase, sslEnc string) string {
o := openssl.New()
if sslEnc == “” {
fmt.Println(“No Password Found for User. Exiting”)
os.Exit(1)
} else {
if verb {
fmt.Println ("Password: ", sslEnc)
}
}
dec, err := o.DecryptString(passphrase, sslEnc)
errorHandle(err, "Decrypt String")
return string(dec)
}
Yes thanks a lot! This is also the solution I’ve found.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.