<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi Mariano,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Before I give you an answer, you should never ever ever not even for any reason, ever, did I mention ever, store a user’s password. You can hash a password, which means you store the hash value of the password. You can make it more secure by salting the hash or embedding your own key to the hash, or doing a number of other things. But you should always store an encrypted hash and never a recoverable password. The way this works is that your user knows the password and can generate a hash at any time that you can compare. You store the hash of the password to compare. The reason for this should be obvious. You don’t want anyone to have access to that password. Not even programmers. Your program doesn’t need it either since the user can generate that hash for you at any time. It really is all you ever need to store.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>If you are looking for a simple cypher for something other than a password how about ARC4 from www.squeaksrouce.com/Cryptography <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>|key cText pText|<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>key := SecureRandom picker nextBits: 254. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>cText := (ARC4 new key: key) encrypt: 'This is a very secure but meaningless string' asByteArray.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>pText := (ARC4 new key: key) decrypt: cText.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>^pText asString<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> 'This is a very secure but meaningless string'<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It’s pretty simple. To get the plainText back all you need is the key. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>All the best,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ron Teitelbaum<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Pharo-dev [mailto:pharo-dev-bounces@lists.pharo.org] <b>On Behalf Of </b>Mariano Martinez Peck<br><b>Sent:</b> Monday, February 17, 2014 4:17 PM<br><b>To:</b> Pharo Development List; glass@lists.gemtalksystems.com; The general-purpose Squeak developers list<br><b>Subject:</b> [Pharo-dev] FFI blowfish for encrypting / decrypting [WAS] Re: How to encrypt a password?<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On Thu, Nov 21, 2013 at 3:53 PM, Paul DeBruicker <<a href="mailto:pdebruic@gmail.com" target="_blank">pdebruic@gmail.com</a>> wrote:<o:p></o:p></p><p class=MsoNormal>Mariano Martinez Peck wrote<o:p></o:p></p><div><p class=MsoNormal>> Hi Paul, and just to be sure I understand...none of them could work as a<br>> two-way encryption, right?<br>> The only one is your Pharo's version of Blowfish but that only works with<br>> 8<br>> chars long. Is it like this? Or is there any other two-way encryption?<br>><br>> Thanks!<br>><o:p></o:p></p></div><p class=MsoNormal style='margin-bottom:12.0pt'>> --<br>> Mariano<br>> <a href="http://marianopeck.wordpress.com" target="_blank">http://marianopeck.wordpress.com</a><br><br><br>Yes that's right. The PasswordHashingFFI stuff is all one way encryption.<br>Blowfish is two way, and the current implementation only works for 8 byte<br>chunks. I stopped working on it when the Smalltalk bcrypt implementation I<br>wanted proved to be 5000x times slower than the FFI version. Someone needs<br>to add the CBC part to Blowfish to encrypt longer strings. I do not know of<br>another in image two way encryption scheme, but there may be something in<br>the Cryptography repo. I'm not sure.<br><br><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Hi Paul,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Sorry for the cross posting. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I was using the Smalltalk version of the Blowfish you did to encrypt and decrypt things. But now I realize it is very very slow for the usage I need. You seem to have faced the same problem. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I am encrypting pieces of 8 characters long. But I wonder if the <b>decryption</b> is available as well in FFI version? I see #ffiCrypt:with: but nothing to decrypt...<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks in advance <o:p></o:p></p></div></div><p class=MsoNormal><br clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>-- <br>Mariano<br><a href="http://marianopeck.wordpress.com" target="_blank">http://marianopeck.wordpress.com</a><o:p></o:p></p></div></div></div></div></body></html>