> I'm writing a program in which I will ask users to enter user name and > password once only. It's a console based program that will run on > Windows XP. Actually, I'm trying to provide the similar functionality > as "Remember me" thing in browsers. For that, I will need to store > user name and passwords on the disk. I don't have a background in > Crypto so how do you suggest I do that?
Here is how the "Remember me" thing in browsers works: 1. The user *has* to pick a "master password". It can't work without (ignoring smartcards etc.). 2. the browser uses the master password to encrypt the many individual passwords that the user needs. 3. when the user navigates to a password protected site, the browser checks whether it has a cached password, and uses the master password to restore the encrypted site password. In interaction, several cases can occur A1. site never seen, no master password entered - ask user for site password, and whether to store password - ask user for master password - encrypt site password, and store on disk - remember master password in memory A2. site seen before, no master password entered - ask for master password, then continue with B2 B1. site never seen, master password entered - ask user for site password, and whether to store it - (if store) encrypt site password, store on disk B2. site seen before, master password entered - load encrypted password from disk, decrypt with master password, send to site The "encrypt" and "decrypt" operations are "symmetric", so what you need is a symmetric encryption algorithm. If you absolutely cannot accept additional algorithms, you can implement XOR password encryption yourself: Compute, letter-for-letter, the exclusive or of the site password and the master password; if you run out of master password letters, start over with the first one. Notice that this algorithm is very poor, and can be cracked by a crypto expert easily, given a few encrypted passwords. If you want a good algorithm, you might chose AES, with pure-Python implementations available here: http://bitconjurer.org/rijndael.py A simpler, yet supposedly secure algorithm is TEA: http://mail.python.org/pipermail/python-list/2002-August/159138.html Regards, Martin -- http://mail.python.org/mailman/listinfo/python-list