DONE: create a stand alone app that implements oplop

[helmar]

This was accidently posted under the "Coding Snack Guidelines" area and not the "Post New Requests Here", (can someone delete the post located at https://www.donation....php?topic=33063.new - thanks.)
There are various implementations of oplop (http://code.google.c...wiki/Implementations), but I am looking for a Windows based one, if possible done in AutoIT.

Some ideas that I would like to see, and I know this then makes the request outside of the canon for oplop:
select the length of the created password hash, with 8 being the least accepted length

Current canon states "Oplop also makes sure there is at least one digit and one letter in every unique account password in case a web site requires that sort of thing."
I would like to have a check box that allow the inclusion of special character from a predefined listing.  It could as simple as allow a ampersand (or char of the user's chosing), Yes / No?

Technical Details (http://code.google.c...plop/wiki/HowItWorks)
Oplop is a password hashing algorithm. The steps it takes to generate an account password is:
1.Concatenate the master password with the nickname (in that order!).
2.Generate the MD5 hash of the concatenated string.
3.Convert the MD5 hash to URL-safe Base64.
4.See if there are any digits in the first 8 characters. If no digits are found ...
  1.Search for the first uninterrupted substring of digits.
  2.If a substring of digits is found, prepend them to the Base64 string.
  3.If no substring is found, prepend a 1.
5.Use the first 8 characters as the account password.

[mouser]

Seems like a great idea to me.  Would make a great NANY 2013 entry too.

[skwire]

I gave this an attempt but my results did not match what the author's website implementation produced.  For example, the author states that a nickname of "Amazon" and a master password of "secret password" should result in "sar4_zIs" as the generated password.  However, after following the rules on the author's page, this is what I get:

Concatenated string: Amazonsecret password
MD5 hash of the concatenated string: fe6b656b873349bcc7f69509d0ca5d79
Base64 hash of the MD5 hash: ZmU2YjY1NmI4NzMzNDliY2M3ZjY5NTA5ZDBjYTVkNzk=

The next set of rules only applies if there isn't a number within the first eight characters so, in this case, one exists and we should take the first eight characters for the final password: ZmU2YjY1  You can see that this isn't even close to what it's supposed to be: sar4_zIs

It could be that the Base64 function I'm using isn't URL-safe but I can't see how it would make that much difference.  Maybe it would...

[Ath]

if possible done in AutoIT.

-helmar (November 29, 2012, 07:21 AM)

Why is that a requirement?

[skwire]

if possible done in AutoIT.

-helmar (November 29, 2012, 07:21 AM)

Why is that a requirement?

-Ath (November 29, 2012, 01:52 PM)

I suppose the OP could be familiar with AutoIT and would like to study the source if the app was written in it.   

[Ath]

for the final password: ZmU2YjY1  You can see that this isn't even close to what it's supposed to be: sar4_zIs

-skwire (November 29, 2012, 01:34 PM)

I have the same results you get, and I'm using PascalScript (of Inno Setup fame )
Wonder Now I see how he manages to get an underscore in the Base64'd result, as that's not in my Base64 characterset (A-Z, a-z, + and / filled-up with = at the end as needed)

Found it: base64url, has - and _ instead of + and /

But the result is still not even close

[Ath]

But the result is still not even close

-Ath (November 29, 2012, 02:43 PM)

Checked the MD5 results of PascalScript with the values shown in the MD5 wiki page, and they're exactly the same, so most presumable he used his own secret password instead of 'secret password' for the example. Now let's see if we can hack his Amazon account...

[skwire]

so most presumable he used his own secret password instead of 'secret password' for the example

-Ath (November 29, 2012, 02:57 PM)

I don't think so since I ran the "Amazon/secret password" combo on his web implementation and got the correct output.

https://oplop.appspot.com/

[Ath]

Oops, why didn't we 'see' that? 
My current result:
Concatenated string: secret passwordAmazon
MD5 result: 0xb1aaf8ff322cc425df0589656079154b
Base64 encoded: sar4_zIsxCXfBYllYHkVSw==
Oplop password: sar4_zIs

The culprit is the red marked 0x, the output of both our MD5 encoders is a bin to hex-string conversion. That has to be recoded into binary data, then fed to a base64url encoder to get the desired result

And the concatenation is expected to be "secret password" + "mnemonic", and not the other way around
(saw that when I eventually re-did the implementation in AutoIt, just for the fun of it )

Code: AutoIt [Select]

1. #include <Crypt.au3>
2. #include "Base64.au3"
3.  
4. ; oplop, returns private_password + mnemonic -> oplop passwordhash
5. Func oplop($secret, $mnemonic)
6.     Local $i, $b = False
7.     ; Next 2 Global vars should be Local, now global only for msgbox use :-)
8.     Global $md5 = _Crypt_HashData($secret & $mnemonic , $CALG_MD5)
9.     Global $base64 = StringReplace(StringReplace(_Base64Encode($md5, 256), "/","_"), "+","-") ; additional conversions for base64url
10.     Local $r = ""
11.     For $i = 1 To 8
12.         If StringRegExp(StringMid($base64, $i, 1), "\d") Then $b = True
13.     Next
14.     If Not $b Then
15.         $i = 8
16.         While $i <= StringLen($base64)
17.             If StringRegExp(StringMid($base64, $i, 1), "\d") Then
18.                 If Not $b Then
19.                     $b = True
20.                     $r &= StringMid($base64, $i, 1)
21.                 Else
22.                     $r &= StringMid($base64, $i, 1)
23.                 EndIf
24.             Else
25.                 If $b Then $i = StringLen($base64)
26.             EndIf
27.             $i += 1
28.         WEnd
29.     EndIf
30.     Return StringLeft($r & $base64, 8)
31. EndFunc
32.  
33. Local $secret = "secret password", $mnemonic = "Amazon"
34.  
35. Local $result = oplop($secret, $mnemonic)
36.  
37. MsgBox(0,"test","Concatenated string: " & $secret & $mnemonic & @CRLF & "MD5 result : " & $md5 & @CRLF & "Base64 encoded : " & $base64 & @CRLF & "Oplop password: " & $result)

It uses the base64 coding routines found here

[helmar]

Thanks everyone.

mouser - thanks for the comments and idea about NANY 2013 entry.

skwire and Ath - thanks for the time you have put into this, I do appreciate it.

The reason I asked about in in AutoIT is exactly as skwire surmised, I have used it before.  I code, but I would not say I am a coder (yet).

I tried to get the "Base64.au3" from the link you posted, but everytime I get the zip file, it shows as corrupt.  Is there any other location for that include file?

Thanks very much.

[4wd]

Is there any other location for that include file?

-helmar (November 30, 2012, 11:11 AM)

Attached.