Finding the number of characters from an encrypted string


#1

Hi all, I was wondering if there was any way to find the number of characters that were present in an original string from an encrypted one?
Now my instincts say no because you are halfway to cracking a password if you can easily find the number of characters.

I need this because I am saving an encrypted version of a user’s password on the computer if they choose for the app to remember it. On load I then want a text box to display splodges for each character in the original password. Now I don’t really want to save the number of characters along with the encrypted password as this could potentially be insecure.

There does seem to be some relationship between the the sizes of the strings so I can have a guess by dividing the encrypted length by a constant but the encrypted length reaches a maximum and the loses its relationship to the original length.

How do applications normally do this? Or do they just use a standard 8 splodges or something?


#2

You can’t.
Encryption works in blocks of data, so a the password is padded to reach a block size, before encrypting.

You can store the password length “hidden” by hashing it (the length, not the password).
Then you can try few guess and find out the hash that match. A bit like:

// Encryption
String password;
String encryptedPassword = cryptPW(password);
String finalEncPassword = encryptedPassword + "\n" + hash(String(password.length()) + " " + encryptedPassword);
// Store the encrypted password 


// Decryption
String finalEncPassword = // From above;
String encPassword = finalEncPassword.upToFirstOccurrenceOf("\n", false, false);
const String hashedVersion = encPassword.fromFirstOccurenceOf("\n", false, false);
int passwordLength = 0;
for (; passwordLength < 32; passwordLength++)
{
    if (hashedVersion == hash(String(passwordLength) +  " " + encPassword)) break;
}
// Here you have passwordLength

#3

That makes sense, cheers.