Saving password to registry?
-
Hi, I a making an MFC app that needs to save the user's password and username to the registry. How do I go about "encrypting" it before I save it to the registry so no sneaks will look in the registry to see the user's password (for example, a brother or sister or whoever..). Thanks!
-
Hi, I a making an MFC app that needs to save the user's password and username to the registry. How do I go about "encrypting" it before I save it to the registry so no sneaks will look in the registry to see the user's password (for example, a brother or sister or whoever..). Thanks!
There are many articles on cryptography if you do a search. However I would advise against it. It would be all too easy for someone to reverse engineer your code to find out out to decrypt it (you must also want to decrypt it at a later stage, right?) If you *must* save the username and password it needs to be at least as secure as windows encryption is. Try looking at the Crypto API. A search for such on google will give you quite a bit of information. Ant. I'm hard, yet soft.
I'm coloured, yet clear.
I'm fruity and sweet.
I'm jelly, what am I? Muse on it further, I shall return! - David Williams (Little Britain) -
Hi, I a making an MFC app that needs to save the user's password and username to the registry. How do I go about "encrypting" it before I save it to the registry so no sneaks will look in the registry to see the user's password (for example, a brother or sister or whoever..). Thanks!
In addition to Antony's suggestion, remember to not use key/value names such as username and password.
"When I was born I was so surprised that I didn't talk for a year and a half." - Gracie Allen
-
In addition to Antony's suggestion, remember to not use key/value names such as username and password.
"When I was born I was so surprised that I didn't talk for a year and a half." - Gracie Allen
-
If its for NT/2K/XP... isnt there a registry string type that will encrypt automaticly ? (Maybe it was added only starting with XP. Just a thought.
darkbyte wrote: isnt there a registry string type that will encrypt automaticly ? I only know of: REG_NONE REG_SZ REG_EXPAND_SZ REG_BINARY REG_DWORD REG_DWORD_BIG_ENDIAN REG_LINK REG_MULTI_SZ REG_RESOURCE_LIST REG_FULL_RESOURCE_DESCRIPTOR REG_RESOURCE_REQUIREMENTS_LIST REG_QWORD
"When I was born I was so surprised that I didn't talk for a year and a half." - Gracie Allen
-
Hi, I a making an MFC app that needs to save the user's password and username to the registry. How do I go about "encrypting" it before I save it to the registry so no sneaks will look in the registry to see the user's password (for example, a brother or sister or whoever..). Thanks!
See : CryptProtectData() CryptUnprotectData() I generally build a string "<username>\n<userpass>", encrypt it, and store in a single registry key. The weakness is that anyone able to run as the user that encrypts the data can also decrypt it. ...cmk Save the whales - collect the whole set
-
Hi, I a making an MFC app that needs to save the user's password and username to the registry. How do I go about "encrypting" it before I save it to the registry so no sneaks will look in the registry to see the user's password (for example, a brother or sister or whoever..). Thanks!
-
i face similar problem, therw may be many solution to this problem,the solution is this. i when ever i save the password in registry i Encrypt using RC4 encryption and when ever i need it i decrypt it and make use of it ----------------------------- "I Think It will Work" Formerly Known As "Alok The Programmer" at CP ----------------------------- Alok Gupta visit me at http://www.thisisalok.tk
-
i face similar problem, therw may be many solution to this problem,the solution is this. i when ever i save the password in registry i Encrypt using RC4 encryption and when ever i need it i decrypt it and make use of it ----------------------------- "I Think It will Work" Formerly Known As "Alok The Programmer" at CP ----------------------------- Alok Gupta visit me at http://www.thisisalok.tk
I think it all depends on the level of protection you require on the password You may or may not need the password to be decrypted which imposes 2 different ways of storing the data. 1) Need to decrypt This is a weak way of storing a password because it can be decrypted but one might find this easier to handle since they can display the password after or send it by e-mail etc. 2) No need to decrypt You store a non-decryptable version of the password or user/pass (if it applies) then when you need to validate the password, you encrypt the source data (password or user/pass) and compare versus what's found in your storage (registry). This also has the advantage that you will mostly never have the password unencrypted in process memory except for the source data which isnt guaranteed to match. Once you decided on how you want to handle storage, you can better decide which encryption method you're going to use. Remember that each encryption system has its strengths and its weaknesses.
-
darkbyte wrote: isnt there a registry string type that will encrypt automaticly ? I only know of: REG_NONE REG_SZ REG_EXPAND_SZ REG_BINARY REG_DWORD REG_DWORD_BIG_ENDIAN REG_LINK REG_MULTI_SZ REG_RESOURCE_LIST REG_FULL_RESOURCE_DESCRIPTOR REG_RESOURCE_REQUIREMENTS_LIST REG_QWORD
"When I was born I was so surprised that I didn't talk for a year and a half." - Gracie Allen
-
Hi, I a making an MFC app that needs to save the user's password and username to the registry. How do I go about "encrypting" it before I save it to the registry so no sneaks will look in the registry to see the user's password (for example, a brother or sister or whoever..). Thanks!
You should never save a password, even an encrypted one, especially in the registry. You should, instead, save a cryptographic hash value that results from the password, and user name if you want to be really secure. The way this works is that different passwords and/or usernames will produce different consistant hash values and you can not reverse engineer a password and/or user name from the hash value. When a user enters a password you can compare the resulting hash value to the saved value and determine if the password is correct without ever storing the actual password in a data store. If the hash values match you can say with a high degree of certainty that the user entered the correct password. A 160 bit hash value is currently considered to be the standard for a secure system. MD5 produces a 128 bit hash value, which is a bit undersized by todays standards, and, additionally, has been known to contain theoretical flaws which have recently been shown to be exploitable for applications like you are describing. It is still a viable hashing algorythm for certain types of applications but not for your application. I would recommend SHA256 at a minimum (256 bit hash value) or for extreme security SHA384 or SHA512. SHA384 or SHA512 require 64 bit arithmetic and you must be carefull if you are implementing them on a 32 bit processor due to the difference in the way numbers are stored on different architectures. Therefore, since SHA256 exceeds the current standard for security and can be implemented with 32 bit arithmetic I would recommend that you use it as your hashing algorythm.