Password protected folder

[zask]

Okay, since i was apparently corrected for not defining the correct definition of encryption. I've corrected my self so that we can continue this topic. I would like an opinion on this password encrypted batch file. rate 1-10 please.


@echo off
color 0a

if not exist "C:\Pswrd.Zask\" (
  mkdir "C:\Pswrd.Zask\"
    if "!errorlevel!" EQU "0" (
      goto DirectoryExist
    ) else (
   echo Created the folder "C:\Pswrd.Zask" & timeout /t 5
  )
) else (
      goto DirectoryExist
)

:DirectoryExist

if exist C:\Pswrd.Zask\Password.Zask (
    goto PasswordExist
) else (
    goto CreatePasswordScreen
)
:PasswordExist

if exist C:\Pswrd.Zask\Key.Zask (
    goto UsernameExist
) else (
    goto CreatePasswordScreen
)


:UsernameExist

 for /f "Delims=" %%A in (C:\Pswrd.Zask\Password.Zask) do (
      set CHECKPASSWORD=%%A
 )
    for /f "Delims=" %%B in (C:\Pswrd.Zask\Key.Zask) do (
      set CHECKKEY=%%B
)

goto PasswordScreen

:CreatePasswordScreen
cls
echo Create a password.
echo.

setlocal EnableDelayedExpansion

set /p "CREATEPASSWORD= Enter password : "
set /p "CREATEKEY= Enter a key number : "

set CHAR=0123456789azbycxdwevfugthsirjqkplomn

for /l %%C in (10 1 36) do (

for /f %%D in ("!CHAR:~%%C,1!") do (

set /a MATH=%%C*%CREATEKEY%
for /f %%E in ("!MATH!") do (

set "CREATEPASSWORD=!CREATEPASSWORD:%%D=-%%E!"

)
)
)

echo %CREATEPASSWORD% >> C:\Pswrd.Zask\Password.Zask
attrib C:\Pswrd.Zask\Password.Zask +s +h & echo Password Created!

echo %CREATEKEY% >> C:\Pswrd.Zask\Key.Zask
attrib C:\Pswrd.Zask\Key.Zask +s +h & echo Username Created!
echo.

start %~n0%~x0
exit
:PasswordScreen
color 0a
cls
echo Existing User Account.
echo.

setlocal EnableDelayedExpansion

set /p "PASSWORD= Enter Password : "
set /p "KEY= Enter the original key : "

set CHAR=0123456789azbycxdwevfugthsirjqkplomn

for /l %%C in (10 1 36) do (

for /f %%D in ("!CHAR:~%%C,1!") do (

set /a MATH=%%C*%CHECKKEY%
for /f %%E in ("!MATH!") do (

set "CHECKPASSWORD=!CHECKPASSWORD:%%E=%%D!"

)
)
)

for /f %%F in ("!CHECKPASSWORD!") do (
set "CHECKPASSWORD=!CHECKPASSWORD:-=!"

)


if %PASSWORD%==%CHECKPASSWORD% (
goto Operation1True
) else (
goto OperationFalse
)

:Operation1True
if %KEY%==%CHECKKEY% (
goto Operation2True
) else (
goto OperationFalse
)

:OperationFalse
color 0c
echo Password Incorrect!
timeout /t 10
goto PasswordScreen

:Operation2True
cls
echo Password Correct!
echo.
pause

[foxidrive]

rate 1-10 please.

0



Sorry for the off topic post - I will chastise myself vigorously, when the sun turns into a red giant.

[camerongray]

Not trying to start an argument here - I'm going to try to help but I will not tolerate any of the nonsense you have given before, I'm going to spend a fair bit of time here writing an explanation so I'd appreciate it if you read it in full.

What you appear to be doing is asking the user for a key and then using this to encrypt their password on disk and then ask the user for the same password and key to check the password.  This is an extremely unusual way to handle passwords, I mean, at least you aren't storing the password in plaintext on disk but it means you are having to ask the user for two keys and you at the mercy of the security of your home made encryption.  Rolling your own encryption is fine for fun or to learn about it but please don't use home made encryption in anything production level!

As I have said before, the accepted correct way to store passwords is as follows: You should "hash" the password the user gives, that is to perform a one way operation such as SHA1 to get a string that represents their original password (but can never be changed back to their password no matter what you do).  You store this hash on disk.  When you then come to check the user's password you perform the same one way hash operation on the password and then compare the hashes.


Here is an example of correct (albeit somewhat basic) password hashing:

The user says they want to set their password to "password123".  Your program takes this and runs SHA1 to get a hash of it which is "bab1298d948ebb34bd0f3faf5e596ebc0b27c61 5".  You store this on disk.

Now the user comes along and enters their password correctly.  So they put in "password123" and you run SHA1 on it again, this will give the same result as before (bab1298d948ebb34bd0f3faf5e596ebc0b27c61 5).  You then read the value you have stored on disk and compare it to this hash.  Both hashes are clearly the same so you can say that the passwords are identical and then therefore let them in.

Now say that the user enters their password wrongly.  They put in "password124" and then you run SHA1 on that which gives you "b733b9d7d45bbe0f9ea25344d37db5f920fdd44 b".  You read the hash you have stored on disk and compare them.  Clearly the hash of the password they entered (b733b9d7d45bbe0f9ea25344d37db5f920fdd44 b) is different from the one you have on disk (bab1298d948ebb34bd0f3faf5e596ebc0b27c61 5) therefore the passwords are different and you should not let the user in.

The key thing here is that while you are storing the hash, it is physically impossible to take "bab1298d948ebb34bd0f3faf5e596ebc0b27c61 5" and convert it back to "password123" no matter what you do, the hashing process loses bits of information about the data you put in.  The only way to do anything like that is to brute force it which takes an impractical amount of time for any reasonable length of password.  This is important as it means if an attacker was to compromise the machine, they cannot get a list of everyone's passwords.

[zask]

honestly i dont care about what the definition is, is obliviously clear what im doing. the point is to keep the other person from seeing the password. nothing else, no conflict, nothing more than that. you get my point. *Encoding is a better example so i will change the page to that. 

[camerongray]

I'm going to try to help but I will not tolerate any of the nonsense you have given before,

Well, I tried to help you by providing information and you once again decided to be rude and refuse to listen to the help given.  I am not picking you up on terminology, I'm trying to teach you how to properly handle passwords in software because it's a tricky subject (took me a while to learn it) and I want to see you succeed.  I've lost count of the number of password handling systems I've built/worked with so I thought I'd pass that knowledge on.  Oh well...

I guess I'll leave you to it then, in the future you will need to learn that in order for people to help you, you have to at least read the help given and be respectful for the people that are giving up their time to help you.

[zask]

Dude i understand that your trying to help me. But this is not what i'm asking for, if i wanted to i could do that no problem. the main reason that i even ask this question and the only question is because i wanted a rating. If i can do exactly as you asked me to do but it still solves nothing which i'm asking for. All i ever wanted was a simple thumbs up or thumbs down, if no one likes it i will make better improvements, but i'm not interested in opinions or confrontation, or anything really besides a rating. For example if you wanted to add an opinion or better help me, rate it first. Because when people say that something isn't this or isn't that they don't seem to realize that the point isn't supposed to be exactly what definition describes it to be, the point it that as you cant see the password, or the code to be able to obtain the password (Unless you have programming knowledge to find it) that's all that matters. I enjoy that other people like to help, but when people imply that another persons work is incorrect and don't rate, it discredits their work. Rather than motivating the person but put more effort in his work. it's stressful having to babysit a kid at my age, it's hard finding the time to post reply's to answers people who discredit me because i have no time, People keep saying that there giving examples and explanations but as i said in the past, when i have so much to do (job,school,babysit,choirs,cooking,and even just preparing my self in the morning) This limits my ability to read others messages because of lack of time. Thus when im looking for reply's that apply towards my question, i have to ignore the reply's that void the purpose of the whole post. Yes, if i have a error please do mind to tell be, but give some motivation, notice that by the little time i do have to comment towards others post, that i may not have had the time to fully stop and check over what i said myself. I read over the old comments in the last page and have realize that there was a HUGE misunderstanding. I thought that someone was dishing my works, and not providing a explanation. only after i have had the time to fully read the comments, i had realized that this was the entire opposite of what you and the others was doing. and for that i apologize

[zask]

Okay, since i was apparently corrected for not defining the correct definition of encryption (I now label it as encoding). I've corrected my self so that we can continue this topic. I would like an opinion on this password encrypted batch file. rate 1-10 please.


@echo off
color 0a

if not exist "C:\Pswrd.Zask\" (
  mkdir "C:\Pswrd.Zask\"
    if "!errorlevel!" EQU "0" (
      goto DirectoryExist
    ) else (
   echo Created the folder "C:\Pswrd.Zask" & timeout /t 5
  )
) else (
      goto DirectoryExist
)

:DirectoryExist

if exist C:\Pswrd.Zask\Password.Zask (
    goto PasswordExist
) else (
    goto CreatePasswordScreen
)
:PasswordExist

if exist C:\Pswrd.Zask\Key.Zask (
    goto UsernameExist
) else (
    goto CreatePasswordScreen
)


:UsernameExist

 for /f "Delims=" %%A in (C:\Pswrd.Zask\Password.Zask) do (
      set CHECKPASSWORD=%%A
 )
    for /f "Delims=" %%B in (C:\Pswrd.Zask\Key.Zask) do (
      set CHECKKEY=%%B
)

goto PasswordScreen

:CreatePasswordScreen
cls
echo Create a password.
echo.

setlocal EnableDelayedExpansion

set /p "CREATEPASSWORD= Enter password : "
set /p "CREATEKEY= Enter a key number : "

set CHAR=0123456789azbycxdwevfugthsirjqkplomn

for /l %%C in (10 1 36) do (

for /f %%D in ("!CHAR:~%%C,1!") do (

set /a MATH=%%C*%CREATEKEY%
for /f %%E in ("!MATH!") do (

set "CREATEPASSWORD=!CREATEPASSWORD:%%D=-%%E!"

)
)
)

echo %CREATEPASSWORD% >> C:\Pswrd.Zask\Password.Zask
attrib C:\Pswrd.Zask\Password.Zask +s +h & echo Password Created!

echo %CREATEKEY% >> C:\Pswrd.Zask\Key.Zask
attrib C:\Pswrd.Zask\Key.Zask +s +h & echo Username Created!
echo.

start %~n0%~x0
exit
:PasswordScreen
color 0a
cls
echo Existing User Account.
echo.

setlocal EnableDelayedExpansion

set /p "PASSWORD= Enter Password : "
set /p "KEY= Enter the original key : "

set CHAR=0123456789azbycxdwevfugthsirjqkplomn

for /l %%C in (10 1 36) do (

for /f %%D in ("!CHAR:~%%C,1!") do (

set /a MATH=%%C*%CHECKKEY%
for /f %%E in ("!MATH!") do (

set "CHECKPASSWORD=!CHECKPASSWORD:%%E=%%D!"

)
)
)

for /f %%F in ("!CHECKPASSWORD!") do (
set "CHECKPASSWORD=!CHECKPASSWORD:-=!"

)


if %PASSWORD%==%CHECKPASSWORD% (
goto Operation1True
) else (
goto OperationFalse
)

:Operation1True
if %KEY%==%CHECKKEY% (
goto Operation2True
) else (
goto OperationFalse
)

:OperationFalse
color 0c
echo Password Incorrect!
timeout /t 10
goto PasswordScreen

:Operation2True
cls
echo Password Correct!
echo.
pause

[zask]

Not trying to start an argument here - I'm going to try to help but I will not tolerate any of the nonsense you have given before, I'm going to spend a fair bit of time here writing an explanation so I'd appreciate it if you read it in full.

What you appear to be doing is asking the user for a key and then using this to encrypt their password on disk and then ask the user for the same password and key to check the password.  This is an extremely unusual way to handle passwords, I mean, at least you aren't storing the password in plaintext on disk but it means you are having to ask the user for two keys and you at the mercy of the security of your home made encryption.  Rolling your own encryption is fine for fun or to learn about it but please don't use home made encryption in anything production level!

As I have said before, the accepted correct way to store passwords is as follows: You should "hash" the password the user gives, that is to perform a one way operation such as SHA1 to get a string that represents their original password (but can never be changed back to their password no matter what you do).  You store this hash on disk.  When you then come to check the user's password you perform the same one way hash operation on the password and then compare the hashes.


Here is an example of correct (albeit somewhat basic) password hashing:

The user says they want to set their password to "password123".  Your program takes this and runs SHA1 to get a hash of it which is "bab1298d948ebb34bd0f3faf5e596ebc0b27c61 5".  You store this on disk.

Now the user comes along and enters their password correctly.  So they put in "password123" and you run SHA1 on it again, this will give the same result as before (bab1298d948ebb34bd0f3faf5e596ebc0b27c61 5).  You then read the value you have stored on disk and compare it to this hash.  Both hashes are clearly the same so you can say that the passwords are identical and then therefore let them in.

Now say that the user enters their password wrongly.  They put in "password124" and then you run SHA1 on that which gives you "b733b9d7d45bbe0f9ea25344d37db5f920fdd44 b".  You read the hash you have stored on disk and compare them.  Clearly the hash of the password they entered (b733b9d7d45bbe0f9ea25344d37db5f920fdd44 b) is different from the one you have on disk (bab1298d948ebb34bd0f3faf5e596ebc0b27c61 5) therefore the passwords are different and you should not let the user in.

The key thing here is that while you are storing the hash, it is physically impossible to take "bab1298d948ebb34bd0f3faf5e596ebc0b27c61 5" and convert it back to "password123" no matter what you do, the hashing process loses bits of information about the data you put in.  The only way to do anything like that is to brute force it which takes an impractical amount of time for any reasonable length of password.  This is important as it means if an attacker was to compromise the machine, they cannot get a list of everyone's passwords.

I understand, this isn't for anything but my own educational purposes, I asked for a rating simply to know if i am doing good, this isn't meant for a machine or to keep any hacker from compromising data, it's to add a simple folder attrib option to keep family members from seeing it's contents

[zask]

0



Sorry for the off topic post - I will chastise myself vigorously, when the sun turns into a red giant.

Lack in understanding that the negative confrontation isn't accumulated because of your opinion, or saying my lack of understanding, but rather only because the negativity generated from the affiliation's lack of care or presumptuousness that afflicts towards the smart remarks. if you would read the text on google right before you enter this sight it states, "answering all your computer related questions". thus if i ask you what you would prefer this to be rated as a scale 1-10, then i don't understand how this can be on topic. it's a computer related question? there is also no rules stating that asking for a rating is inappropriate, against the rules, or is even implied as off topic. This also means that anything you say isn't off topic as long at it doesn't void the rules. I don't understand why you would punish yourself lol.

[zask]

Well, I tried to help you by providing information and you once again decided to be rude and refuse to listen to the help given.  I am not picking you up on terminology, I'm trying to teach you how to properly handle passwords in software because it's a tricky subject (took me a while to learn it) and I want to see you succeed.  I've lost count of the number of password handling systems I've built/worked with so I thought I'd pass that knowledge on.  Oh well...

I guess I'll leave you to it then, in the future you will need to learn that in order for people to help you, you have to at least read the help given and be respectful for the people that are giving up their time to help you.

Dude i know what your explaining, but this is not what im trying to ask for, i get your helping but your not helping for what im asking for.  I want to be able to get back inside the code but make it so that others cannot. i am not trying to prevent myself from gaining access to the file.

the only reason that it is impossible to understand the original password is because the reason bellow. pretend that the encoded text bellow says "hello".

11wx637

"11" can be "1" or "11", and "wx" can be both "w", "x" or "wx", "637" can be both "63", "37, or "637". the computer cannot decrypt the ciphered text because if the letter "h" was equal to "1" and "e" was equal to "1w" then if another letter was equal to "11", then the computer wouldn't be able to tell "11" from "1" and "1w" when set beside each other.
the code i used has added the "-" sign to prevent this and can be find in the video here.
https://www.youtube.com/watch?v=c8HIe3bKSfA

im not being rude, i very much appreciate all your effort in trying to teach me what you understand, but in this code that i am using (call it what you like). I need the password to be able to be encoded for user purpose. i am no longer even claiming it as encryption anymore, maybe that wasn't the correct term to use. but if encryption is what you guys said it is, then that isn't what i'm currently looking for. i would love to learn all the methods that you teach in encryption, but for this one project, (If encryption means that the code cant be turned back into the original text), then that is not what im currently looking for (at this moment). hopefully that clarifies?

[zask]

Im trying to avoid bringing back the same argument, not trying to ignore, or be rude.

[Geek-9pm]

Hello Zach,
They are not being rude at all. Your problem is you are not paying attention. Zach, you do a lot of writing. But can you read? Really? Do you comprehend something what is shown to you it written form? There are many good textbooks on cryptography that have been written many years ago. It is not a new science. With computers it's possible to do things that are much too difficult for humans with charts and graphs to accomplish. One of the things that computers do is computers can encrypt a stream of data that is not bound by fixed boundaries. Or to put it another way, instead of encrypting letters, the computer may  encrypt letter groups.  For example the letter combination TH is very common in English. It could be encrypted by using a binary sequence that is much shorter than the 16 bits that would be required for the two letters.
If you're interested in learning more about cryptography, stop doing experiments that are 30 years old. Wait a minute, I  should say the kind of experiment some more like 75  years old. Books on cryptography that were written before 1950 were more ahead of anything you've presented here.
If you'd like a reading list of current textbooks on cryptography, you can find them at Amazon or at Barnes & Noble or even in your public library.
Most of the members here in the forum are not interested in doing classroom exercises that they did years ago when this first started computer science 101. So they are not being rude, they just don't understand why you don't get more up to date with your knowledge.
And really am trying to help you.  I am trying to tell you that while the rest of the  rest of the world is using computers, you are back with the Abacus.  Actually  I really like the Abacus. But I don't use it anymore.

For Reference:
http://www.techsupportalert.com/best-free-file-encryption-utility.htm

Encryption is a process of encoding information so that it cannot be accessed by others unless they have the key needed to decode it. Encryption is usually used to protect highly sensitive documents, but it's also a good way to stop people from looking at your personal stuff.

[zask]

Hello Zach,
They are not being rude at all. Your problem is you are not paying attention. Zach, you do a lot of writing. But can you read? Really? Do you comprehend something what is shown to you it written form? There are many good textbooks on cryptography that have been written many years ago. It is not a new science. With computers it's possible to do things that are much too difficult for humans with charts and graphs to accomplish. One of the things that computers do is computers can encrypt a stream of data that is not bound by fixed boundaries. Or to put it another way, instead of encrypting letters, the computer can't encrypt letter, nations. For example the letter combination TH is very common in English. It could be encrypted by using a binary sequence that is much shorter than the 16 bits that would be required for the two letters.
If you're interested in learning more about cryptography, stop doing experiments that are 30 years old. Wait a minute, I mistaken those kind of experiment some more like 100 years old. Books on cryptography that were written before 1950 were more drastic anything you've presented here.
If you'd like a reading list of current textbooks on cryptography, you can find them at Amazon or at Barnes & Noble or even in your public library.
Most of the members here in the forum are not interested in doing classroom exercises that they did years ago when this first started computer science 101. So they are not being rude, they just don't understand why you don't get more up to date with your knowledge.
And really am trying to help you.  I am trying to tell you that while the rest of the  rest of the world is using computers, you are back with the Abacus.  Actually  I really like the Abacus. But I don't use it anymore.

The whole cryptography thing was a misunderstanding, i just wanted a rating and know if their was a better way of doing this but still be able to achieve the original password. I will be glad in learning encryption, but im not looking for it in this specific case, it was a matter of misunderstanding and nothing more. It's not that im not paying attention, that topic was old, i have read every single post on this wall, i am not looking for what everyone thinks im looking for. this is for my own education,lol, i agree about the abacus? at the end it's all just crappy old school code compared to the newer and more powerful languages anyway

[zask]

:/ the only person that actually understood what i was asking for gave me a 0... troll much? lol

[camerongray]

I just thought that rather than giving you a low rating it would be more useful if I were to explain how you could improve it.

If you want to just learn about encryption and stuff that's great but you'd be best to avoid using it in the context of passwords and instead make a thing to encryot messages/files or something which would be both more useful and avoid the whole confusion of using the wrong methods for handing passwords.  DaveLembke on here recently built a thing to encryot messages over in the programming section, why not try something like that?

I'd also still stand by my recommendation that you are really pushing batch to its limits and this is essentially making your job harder for no real reason. Why not try something like Python which would be more useful, easier to build cool stuff with, better supported for if you need help and makes for much easier to read code?  How about you go and try some of the Python tutorial series over on https://www.codecademy.com/ and see how you get on?  No harm in trying it!  You clearly have potential but Batch makes it really hard to exploit it!  Come think of it, when I was younger I remember playing about with batch files and thinking they were really cool but it wasn't until I moved on to Visual Basic (not that I'd use VB nowadays!) that I realised what programming was all about and when I was able to start building much cooler stuff!

For context I volintarily help run/mentor at a weekly programming club for people around your age.  People quite often start off on Python as their first language and very quickly they are building really cool and complicated things including basic message encryption type stuff.  There is also an absolute tonne of documentation and help out there for Python should you need it.