About password
-
Hi, guys I want to add a password for my application. But I don't know where to store the username and password. In fact, I don't hope a special file to store them. Whether I can store them into register table. And how? Or other correct place to stroe them but I don't know. Wish some useful idea. Thank you very much! vigorous
-
Hi, guys I want to add a password for my application. But I don't know where to store the username and password. In fact, I don't hope a special file to store them. Whether I can store them into register table. And how? Or other correct place to stroe them but I don't know. Wish some useful idea. Thank you very much! vigorous
You don't tell us anything about your application. That would generally determine where would be a sensible place. Wherever you store this information it is important to encrypt the passwords. Preferably using a one way encryption so when they user types their password, you encrypt what they typed and compare the two encrypted strings. I just got a letter from equiTalk today who provide cheap telephone calls and in it they put in a nice little side box my phone number, email address, account number and PASSWORD. To put my reaction diplomatically: I was severely unimpressed.
"You can have everything in life you want if you will just help enough other people get what they want." --Zig Ziglar The Second EuroCPian Event will be in Brussels on the 4th of September Can't manage to P/Invoke that Win32 API in .NET? Why not do interop the wiki way! My Blog
-
Hi, guys I want to add a password for my application. But I don't know where to store the username and password. In fact, I don't hope a special file to store them. Whether I can store them into register table. And how? Or other correct place to stroe them but I don't know. Wish some useful idea. Thank you very much! vigorous
If you're asking such an over-simplified architectual question, I'd have to say it seems like you don't know where to begin - not a good sign if you think you can write your own security system. It's not easy and is often too over-simplified. There are already mechanisms in place for this, such as using encrypted requests to a SQL Server 2000 database (or MSDE) where the passwords are hashed - NEVER store the passwords in plaintext. If you want to protect a local, non-connected application, there is already facilities in Windows. Take a look at the article, How to Create a DPAPI Library[^], in the Microsoft Patterns and Practices section for one pretty secure method. This encapsulates DPAPI - a native API - in a .NET assembly that you can use with any managed language (C#, VB.NET, MC++, Perl.NET, etc.). There are other ways, but you should study what exists by browing and searching MSDN[^], especially their Patterns and Practices[^] section which covers design, development, and deployment concepts including security in your application. Security is definitely not something to take lightly.
Microsoft MVP, Visual C# My Articles
-
If you're asking such an over-simplified architectual question, I'd have to say it seems like you don't know where to begin - not a good sign if you think you can write your own security system. It's not easy and is often too over-simplified. There are already mechanisms in place for this, such as using encrypted requests to a SQL Server 2000 database (or MSDE) where the passwords are hashed - NEVER store the passwords in plaintext. If you want to protect a local, non-connected application, there is already facilities in Windows. Take a look at the article, How to Create a DPAPI Library[^], in the Microsoft Patterns and Practices section for one pretty secure method. This encapsulates DPAPI - a native API - in a .NET assembly that you can use with any managed language (C#, VB.NET, MC++, Perl.NET, etc.). There are other ways, but you should study what exists by browing and searching MSDN[^], especially their Patterns and Practices[^] section which covers design, development, and deployment concepts including security in your application. Security is definitely not something to take lightly.
Microsoft MVP, Visual C# My Articles
In fact ,what I need is quite simple, Just an identity window which user can enter a username and password. If they are correct, user could enter the following interface. Just so simple. And there is a non-connected application. Now I understand DPAPI could protect the password and database.But what I really care is where to store the username and password. Because in my application, even the password is not encrypted, it is alos ok. And I don't hope to use a seperate file to do that Please give me a correct direction Thank you vigorous
-
You don't tell us anything about your application. That would generally determine where would be a sensible place. Wherever you store this information it is important to encrypt the passwords. Preferably using a one way encryption so when they user types their password, you encrypt what they typed and compare the two encrypted strings. I just got a letter from equiTalk today who provide cheap telephone calls and in it they put in a nice little side box my phone number, email address, account number and PASSWORD. To put my reaction diplomatically: I was severely unimpressed.
"You can have everything in life you want if you will just help enough other people get what they want." --Zig Ziglar The Second EuroCPian Event will be in Brussels on the 4th of September Can't manage to P/Invoke that Win32 API in .NET? Why not do interop the wiki way! My Blog
In fact ,what I need is quite simple, Just an identity window which user can enter a username and password. If they are correct, user could enter the following interface. Just so simple. And there is a non-connected application. Now I understand DPAPI could protect the password and database.But what I really care is where to store the username and password. Because in my application, even the password is not encrypted, it is alos ok. And I don't hope to use a seperate file to do that Please give me a correct direction Thank you vigorous
-
In fact ,what I need is quite simple, Just an identity window which user can enter a username and password. If they are correct, user could enter the following interface. Just so simple. And there is a non-connected application. Now I understand DPAPI could protect the password and database.But what I really care is where to store the username and password. Because in my application, even the password is not encrypted, it is alos ok. And I don't hope to use a seperate file to do that Please give me a correct direction Thank you vigorous
wk_vigorous wrote: even the password is not encrypted :wtf: ENCRYPT THE PASSWORD! People share the same password between many applications, quite simply the average person today is overloaded with passwords to remember, so they take the easy route and have only a small number of passwords they reuse. If you leave the password exposed you are leaving your user exposed. TAKE SOME RESPONSIBILITY FOR THIS. You cannot believe how irritated I am when I see that someone has not taken the time to secure my personal information. I count passwords as highly sensitive personal information. :mad:
"You can have everything in life you want if you will just help enough other people get what they want." --Zig Ziglar The Second EuroCPian Event will be in Brussels on the 4th of September Can't manage to P/Invoke that Win32 API in .NET? Why not do interop the wiki way! My Blog
-
wk_vigorous wrote: even the password is not encrypted :wtf: ENCRYPT THE PASSWORD! People share the same password between many applications, quite simply the average person today is overloaded with passwords to remember, so they take the easy route and have only a small number of passwords they reuse. If you leave the password exposed you are leaving your user exposed. TAKE SOME RESPONSIBILITY FOR THIS. You cannot believe how irritated I am when I see that someone has not taken the time to secure my personal information. I count passwords as highly sensitive personal information. :mad:
"You can have everything in life you want if you will just help enough other people get what they want." --Zig Ziglar The Second EuroCPian Event will be in Brussels on the 4th of September Can't manage to P/Invoke that Win32 API in .NET? Why not do interop the wiki way! My Blog
Thanks, and I now fully understand the importance of encryption. Could you introduce some way to encrypt data in C#? And I am still confused about the place to store the password. Where do you think is a suitalbe location? Thank you vigorous
-
In fact ,what I need is quite simple, Just an identity window which user can enter a username and password. If they are correct, user could enter the following interface. Just so simple. And there is a non-connected application. Now I understand DPAPI could protect the password and database.But what I really care is where to store the username and password. Because in my application, even the password is not encrypted, it is alos ok. And I don't hope to use a seperate file to do that Please give me a correct direction Thank you vigorous
DPAPI also stores the credentials securely. If you just hard-code a username and password in your code, it's easy for users to see it. I, for example, spend a lot of time looking at the assembly and type metadata, as well as the IL in assemblies to gain completely understanding how they work. I would see the strings you use for usernames and passwords. Again, security should not be taken lightly. DPAPI provides what you need and even includes it's own prompt. Take a look at the article I linked which explains it all.
Microsoft MVP, Visual C# My Articles