If input contains

I’m making a secure password generator, where the user inputs a word and
it translates it to something more secure, so if they entered “book” it
would return “b00k”. I just don’t know how to say like

if input contains “S” replace with “$”

etc.

Help?

On Tue, Aug 24, 2010 at 6:54 PM, Hd Pwnz0r
[email protected] wrote:

I’m making a secure password generator, where the user inputs a word and
it translates it to something more secure, so if they entered “book” it
would return “b00k”. I just don’t know how to say like

if input contains “S” replace with “$”

Check out String#gsub

http://ruby-doc.org/core/classes/String.html#M000817

martin

2010/8/24 Hd Pwnz0r removed_e[email protected]:

I’m making a secure password generator, where the user inputs a word and
it translates it to something more secure, so if they entered “book” it
would return “b00k”. I just don’t know how to say like

if input contains “S” replace with “$”

input.gsub! /S/, ‘$’

Cheers

robert

On Aug 24, 2010, at 9:24 AM, Hd Pwnz0r wrote:

Help?

String#tr and String#gsub come to mind.

-Rob

Rob B.
[email protected] http://AgileConsultingLLC.com/
[email protected] http://GaslightSoftware.com/

That is not going to be very secure.

This is what I use when I need a username or password for some part of
my system

#!/usr/bin/env ruby

a = [ (‘0’…‘9’).to_a, (‘a’…‘z’).to_a, (‘A’…‘Z’).to_a, “_”].flatten

10.times do
puts (0…30).map{a[rand(a.size)]}.join(’’)
end

Which gives output like:

0Lqimr_6JWoXvFR_UWA0CZo6J23QFci
mwB8_i5N2LPPcHsLQQBfafUUBMZvxxO
nhjWija1r2a_1BSpxhuGOyC3eXIQwjd
d2Jj1mS6ah_OqmWH0J4wL8lOaugfH6t
jZ7_9IYHa9G_JBqha4hMhKo3PnbnMhc
vHjIM925PbqrW_1rOvNLtktSIqdQZQU
ClxbfZp0dg5oxHstqHgfNJyMnPbQTa7
boODNYczqZoNuFeg_ROQ5fj1BPNg3m4
KlBhifcZy_Sl4mFew2e4PBMQasOuBTL
3RZXBYZfmHxiMx1lfBKMsilmIK5vgzN

Pick one for the username and another for the password. Actually I use
a slightly more complex script (using more symbols) but rest assured
converting ordinary text into 1337 text is old hat and even the
dumbest brute force password cracker will try them because people like
you think that b00k is more secure than book.

Also why did you not try and google for this first?

2010/8/24 Hd Pwnz0r [email protected]:

I’m making a secure password generator, where the user inputs a word and
it translates it to something more secure, so if they entered “book” it
would return “b00k”. I just don’t know how to say like

if input contains “S” replace with “$”

etc.

Help?

Use regular expressions:

string = “password”
new_string = string.gsub(/[sS]/,’$’) ## ‘pa$$word’

You can chain the calls

newer = string.gsub(/[sS]/,’$’).gsub(/[oO]/,‘0’) ## ‘pa$$w0rd’

or even define a hash with all your transformations using inject to
apply them to your string

transfo_hash = {/[sS]/ => ‘$’, /[oO]/ => ‘0’, /[aA]/ => ‘4’}

transfo_hash.inject(string) {|sum_string,h|
sum_string.gsub(h[0],h[1])} ## p4$$w0rd

But I would say as Peter that it is not really more secure than the
original string.

@Peter: how do you remember the couple login/password that are
randomly chosen ? Do you store them somewhere ?

Cheers,

JJ Fleck

PS: see also http://xkcd.com/538/

On 24 August 2010 15:52, Jean-Julien F. [email protected]
wrote:

@Peter: how do you remember the couple login/password that are
randomly chosen ? Do you store them somewhere ?

The really insane ones are used to access accounts or services
programatically - so they are stored as part of the application that
accesses the service. These machines (the command and control servers)
are inside our company and protected but they have to store the
username / password as plain text. On the other end, at the hosting
companies we use, the username is in plain text but the password is
encrypted.

The firewalls at both ends limit which machines can even access the
services and tools look for abuse (such as deny hosts) and we use ssh
where we can, so it’s pretty secure.

However if anyone was to break into our office in the middle of the
night and gain access to the command and control servers then all bets
are off :frowning:

My personal limit for remembering a long password is around 16
characters, but I have to use it frequently.

I may be a little late to this thread, but . . . what the heck.

On Tue, Aug 24, 2010 at 10:39:17PM +0900, Peter H. wrote:

That is not going to be very secure.

Agreed. It is extremely common for brute force attacks to make use of
translations to “leetspeak” as well as dictionary words before they
start
using any kind of “randomness”. The prevalence of leetspeak translators
one can find via Google is a testament to how common and easy it is to
make such translations:

https://encrypted.google.com/search?q=leetspeak+translator

When something is that easily found on the Web, and could be part of the
process of cracking your security, you can bet it’s going to be a common
part of the toolkit used by malicious security crackers.

This is what I use when I need a username or password for some part of
my system

[snip]

I use something similar, in a fairly complex script of my own, when I
don’t just use the random password generator built into pwsafe.

On Tue, Aug 24, 2010 at 11:52:20PM +0900, Jean-Julien F. wrote:

@Peter: how do you remember the couple login/password that are
randomly chosen ? Do you store them somewhere ?

Speaking only as someone not named Peter, I use a password manager. At
the moment, what I use is pwsafe, with a little bit of convenience
scripting[1] to get around the lack of a feature or two that I rather
wish it had. I may eventually write my own password manager to replace
it, but for now I’m too lazy/busy to do so (not to mention the concern
over the possibility of writing important security applications and
getting it wrong).

PS: see also http://xkcd.com/538/

Amusing reference.

Rubber hose cryptanalysis is pretty effective, when circumstances
allow
it (as in the case of the vague evil plan in the XKCD script). On the
other hand, automated brute-force attacks on SSH passwords (for
instance)
are ongoing on the Internet all the time, and as the state of the art of
computer resources and of security cracking advace, what works today to
protect against the opportunists out there may not work tomorrow. Using
passwords and crypography that might be regarded as “excessively” strong
now could just be planning for the future so that they don’t have to be
changed tomorrow.

Just don’t expect it to make much difference against, for instance,
government agents in a meatspace confrontation.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs