topic Re: save passwords securely in Discussions

save passwords securely

vince_faller — Wed, 23 Oct 2019 18:19:52 GMT

Does anyone have a secure way to store passwords so users don't have to enter their password every time?

I don't want to just store the password as plain text in a preferences file or anything like that.

Names default to here(1);
nw = new window("Login", 
	lineupbox(ncol(2), 
		textbox("Username"), teb_uid = texteditbox("Vincent", <<Set Width(200)), 
		textbox("Password"), teb_pwd = texteditbox("thisisapassword", <<Width(200), <<Password Style(1))
	), 
	cb_save = checkbox({"Remember Me"}), 
	buttonbox("OK", 
		uid = teb_uid << Get Text();
		pwd = teb_pwd << Get Text();
		nw << close window();
	)
);

Re: save passwords securely

txnelson — Wed, 23 Oct 2019 20:26:08 GMT

Create a script that contains the passwords........in Associative Arrays, or in lists, etc. Then save that script as an encrypted script.

Re: save passwords securely

vince_faller — Wed, 23 Oct 2019 21:28:58 GMT

That would involve me having access to all users passwords. Definitely not doable. And telling a user to save their password as an encrypted script also isn't a viable option. I truly want a "remember me" option where I can store whatever username/password they type programmatically, but that storage is secure.

Re: save passwords securely

vince_faller — Fri, 06 Mar 2020 19:51:57 GMT

Figured I'd try to bump this to see if anyone has any ideas.

Because now I'm having issues with other types of secrets as well. User Access Codes and what not.

Re: save passwords securely

Paul_Nelson — Mon, 09 Mar 2020 13:28:08 GMT

Secure storage of credentials is a difficult issue. It's really difficult to do right. At very least you likely still need the user to enter some form of credentials once per session, to prevent unauthorized use of the secrets you are trying to protect. So for each 'user' you will likely need to store a password for their credential store. Then you need the credential store itself. How secure is enough? Do you just need obfuscation, such as a simple substitution cipher like rot13 ( shift the letters of the alphabet by 13 so m => z, a =>n or do you need something stronger like AES encryption, or Public Key encryption? You could create your data store using a JMP table, a text file or a database table, JMP has ODBC support for database connectivity. Better checksums and encryption support, either written in JSL, or loaded from shared libraries via JMP's add-in capability or through the Python bridge.

Securing passwords,

A traditional way to keep passwords files secure it to use a hash function. One way has functions such as MD5, the SHA family, SHA1, SHA256, ... all take data and create a hash that cannot be reversed to reveal the original data. The idea is you take the data you want to secure and create a hash from the data. Usually such hashes are stirred with a SALT value, a random value that is stored with the password data. The salt make it far more costly to keep lookup tables of known data to hash values. Then when the user type in the password, you hash the entered value and compare the hash against the stored value. If they match == success and password is validated. JMP exposes the MD5 checksum to JSL. From the scripting index, see Blob MD5(). Please note that MD5's use for cryptographic purposes is not secure against modern cryptographic techniques, but for low level security is still should be fine.

Then, you can use the hash or even combine the hash with additional data create a derived hash or HMAC https://en.wikipedia.org/wiki/HMAC to act as the password key to your protected data store. Some databases have encrypt functionality for data fields, or you may have to encrypt the data yourself and store in the table.

Lastly if you need greater security, look at JMP's add-in functionality that can call into shared libraries, there you could implement as complex a data management scheme as you desire. Or look to JMP's Python interface, calling out to Python packages can give you access to sqlite, and better checksums and encryption methods.

How I would go about building such a data store? I would lean heavily on JMP's Python interface. The sqlite database support is built into Python, and would use that or JMP tables for my data store. Further Python is generally built with crypt support, checksums and encryption algorithms. I would first start by creating a password table table which has a hash of the passwords. Then build a data store as another table which have encrypted fields. Just how secure, how complicated, a matter of how much code and how much testing...

Re: save passwords securely

Paul_Nelson — Mon, 09 Mar 2020 18:43:50 GMT

Sample python script to create a sqlite data store,

#! /usr/bin/env/python3
#
# Author: Paul Nelson - JMP Statistical Discovery, From SAS
# Date: 9 Mar 2020
#
# Description: This sample shows the python code using sqlite to create a data data store
# for saving passwords, credentails...  While Python has hash functions, the standard library
# does not include ciphers.  For purposes of this sample I used lzma compression to 'encode' and
# decompression to 'decrypt'  For use from JSL, I would turn this into a python module and then
# import 'my_dataStore_api' to cut down code in the JSL string.
#
# sample python program using sqlite to create a secure store for passwords and
# key, value data storage.
#
# While Python contains hash functions, does not include encryption primitives in the standard library.
# an example using PyCrypto can be found
# https://stackoverflow.com/questions/12524994/encrypt-decrypt-using-pycrypto-aes-265
# however pycrypto has no been updated since 2014... https://github.com/dlitz/pycrypto
#
# pyca/cryptography - https://cryptography.io/    https://github.com/pyca/cryptography
# seems to be currently maintained.
#
# Don't create your own encryption! The above packages or, openssl, or many other providers are
# better than writing your own.
#
# It is an exercise left to the reader to replace the code using lzma compression with real encrypt
# and decrypt code.  :)
# 
# 
import sqlite3
import hashlib
import os
from pathlib import Path
import lzma

# Salt should be random quantity, get from OS entropy source
salt = os.urandom(16);
mypasswd = b'JMP in a dried up lake'
dk = hashlib.pbkdf2_hmac('sha256', mypasswd, salt, 1000)
# dk.hex()  will be the actual hashed password saved to db
# but the binary dk, will be what we use as the encryption key
# dkhex = dk.hex()
# binDk = bytes.fromhex(dkhex)
# 

# Path to my credential store , my home directory + AppData
data_path = str(Path.home()) + '/AppData/'
filename = 'dataStore'

# Create directory if it doesn't exist
os.makedirs(data_path, exist_ok=True)

# will create database if it doesn't exist
db = sqlite3.connect(data_path + filename + '.db')

# my username
me = 'jmpuser'

# create our password table storing hashed passwords
db.execute('CREATE TABLE IF NOT EXISTS passwd (uid INTEGER PRIMARY KEY, name TEXT, salt TEXT, key TEXT)')

# should check to see if user is in database and only insert if not found
# exercise left to the reader
db.execute("INSERT INTO passwd (name, salt, key) VALUES( ?,?,? ) ", (me, salt.hex(), dk.hex()) )
db.commit()
print('******* passwd database *******')
for row in db.execute('SELECT * from passwd'):
    print(row)
print('*******************************')    

# create our credentials table which will store the name of the credential, and its value
db.execute('CREATE TABLE IF NOT EXISTS credentials (id INTEGER PRIMARY KEY, uid INTEGER, key TEXT, value TEXT)')

# first we need to have validated that user gave propper password, and we authenticated against passwd
# table assuming user is authenticated

# should check to see if user is in database and only insert if not found, potentially update if found
# exercise left to the reader.

# my user id in this scheme 
id = 0

#The value data I'm going to store into the database
myson1 = """
{
   user: paul
   magic_key: JMP Rocks!
}"""

myson2 = """
{
   user: paul
   magic_key: supercalifragilisticexpialidocious
}"""

# 'encrypt' my data
lvalue = lzma.compress( myson2.encode() )
lvalue2 = lzma.compress( myson1.encode() )

# you could encrypt the 'key' as well as the value if you really want security
db.execute("INSERT INTO credentials (uid, key, value) VALUES( ?,?,? ) ", (id, 'JMPCommunity', lvalue.hex()) )
db.execute("INSERT INTO credentials (uid, key, value) VALUES( ?,?,? ) ", (id, 'WDW', lvalue2.hex()) )
db.commit()
print('******* credentials database *******')
for row in db.execute('SELECT * from credentials WHERE uid=?', (id,) ):
    print(row)
    value = bytes.fromhex(row[3])
    print(lzma.decompress(value).decode())
print('************************************')
db.close()

Re: save passwords securely

ih — Thu, 18 Jun 2020 21:33:02 GMT

Found this while looking for a better solution for myself. For scripts on my own machine, I call R and use the keyring function. It uses Keychain on mac, Credential Store on Windows, and the Secret Service API on Linux. Obviously this comes with overhead, it would be nice to do this without R. If interested, I put a JMP Wish List item to create these functions in JMP.

https://github.com/r-lib/keyring

R Init();
R Submit(
	"library(keyring)
	pw <- keyring::key_get(\!"DomainAccount\!", \!"username\!")"
);
pw = R Get("pw");
R Term();

Re: save passwords securely

David_Burnham — Fri, 19 Jun 2020 01:34:35 GMT

I take an obfuscation-style route. I convert characters to numbers, then feed these numbers into a mathematical formula to generate an 'encrypted' representation.

I tend to use the technique more for software license codes rather than user passwords. So I will take a product name or code combined with site ID information, plus an expiry date, build a numeric representation and parse that through a complex mathematical formula: the final output might be something like 1143932720966.

Re: save passwords securely

vince_faller — Tue, 23 Jun 2020 13:34:54 GMT

I like this. I unfortunately can't force customers to install python (some have explicitly forbidden their users to install it). But I have convinced most to install the sqlite odbc driver so maybe I can use that with MD5.

I'd still have to find some way to do encryption.

Thanks for the help, I've definitely got some research to do.

Re: save passwords securely

Paul_Nelson — Tue, 23 Jun 2020 13:40:13 GMT

You can look at doing encryption using a JMP add-in. Understand that shipping an encryption library has legal and export ramifications. Your best bet would be to write an add-in that calls into the native encryption libraries already on the host OS, and then still run it past your legal team.

Re: save passwords securely

vince_faller — Tue, 23 Jun 2020 14:36:36 GMT

You've been more than helpful. Thank you.

Re: save passwords securely

ih — Wed, 24 Jun 2020 20:40:23 GMT

On Windows I believe this code could be re-created with JSL and the command line to interact with the windows credential manager, could be wrong. Maybe someday I will take this on; sharing it here in case someone else figures it out first. :)

#include <windows.h>
#include <wincred.h>
#include <tchar.h>
#pragma hdrstop

void main ()
{
    { //--- SAVE
        char* password = "brillant";        DWORD cbCreds = 1 + strlen(password);
        CREDENTIALW cred = {0};        cred.Type = CRED_TYPE_GENERIC;        cred.TargetName = L"FOO/account";        cred.CredentialBlobSize = cbCreds;        cred.CredentialBlob = (LPBYTE) password;        cred.Persist = CRED_PERSIST_LOCAL_MACHINE;        cred.UserName = L"paula";
        BOOL ok = ::CredWriteW (&cred, 0);        wprintf (L"CredWrite() - errno %d\n", ok ? 0 : ::GetLastError());
        if (!ok) exit(1);
    }
    { //--- RETRIEVE        PCREDENTIALW pcred;        BOOL ok = ::CredReadW (L"FOO/account", CRED_TYPE_GENERIC, 0, &pcred);        wprintf (L"CredRead() - errno %d\n", ok ? 0 : ::GetLastError());
        if (!ok) exit(1);        wprintf (L"Read username = '%s', password='%S' (%d bytes)\n", 
                 pcred->UserName, (char*)pcred->CredentialBlob, pcred->CredentialBlobSize);
        // must free memory allocated by CredRead()!
        ::CredFree (pcred);
    }
}

From kkm here:

https://stackoverflow.com/questions/9221245/how-do-i-store-and-retrieve-credentials-from-the-windows-vault-credential-manage

Re: save passwords securely

ih — Fri, 27 Aug 2021 22:10:06 GMT

Here is a version that uses an available module in powershell, maybe that is an option?

Names default to here(1);

loadmodule = "
		if (!(Get-Module -ListAvailable -Name CredentialManager)) {
			Install-Module CredentialManager -force -Scope CurrentUser
		}
		";


//Function to run command in powershell, strips trailing line breaks
RunPowershell = Function( {command},
	Regex(RunProgram(
		Executable( "powershell.exe" ),
		Options( {"/c", command } ),
		ReadFunction( "text" )
	), "^(.*?)[\r\n]+$", "\1")
);


// Set password
SetPass = Function( {target,user,pass},
	RunPowershell(
		"$target = '" || target || "'
		$usr = '" || user || "'
		$pswd = '" || pass || "'
		" || loadmodule || "
		New-StoredCredential -Target $target -UserName $usr -Password $pswd"
	);
	1; //password is returned as free text, don't return the response
);

// Get password
GetPass = Function( {target},
	RunPowershell(
		"$target = '" || target || "'
		" || loadmodule || "
		$creds = Get-StoredCredential -Target $target

		$creds.GetNetworkCredential().Password"
	)
);

// Get username
GetUser = Function( {target},
	RunPowershell(
		"$target = '" || target || "'
		" || loadmodule || "
		$creds = Get-StoredCredential -Target $target

		$creds.GetNetworkCredential().UserName"
	)
);

// Set and retrieve credentials
SetPass("testcredential", "myusername3", "mypassword3");
GetPass("testcredential");
GetUser("testcredential");

//You can delete these test credentials using the 'windows credential store'.