Where to put the password?
-
Hello guys. I'm stuck in one of the silliest problems anyone would ever imagine. Alright, my application is a password protected database application. I know!! I've already put the passwords of my application, and the database in an external file -not the main config. I got my reasons though-. Now I want to encrypt that external file to protect my passwords, and not to hardcode them in my program. The funny thing is that I need a key, wich has to be the same in the Encrypting/Decrypting process. I don't want to hardcode that key -I know it's not the best practice-. Also I don't want to use the
File.Encrypt()method, as it's easily broken -using the Decrypt ethod BTW-, and assumes that the user has NTFS. I figured out an inconvenient way of maing the user's password, or my Assembly's GUID as that key.This is my last resort, but I'd really like to hear fresh ideas, as I'm out of!! PS. Currently I'm reading MSDN security section. Can you imagine how desperate I am now?Regards:rose:
-
Hello guys. I'm stuck in one of the silliest problems anyone would ever imagine. Alright, my application is a password protected database application. I know!! I've already put the passwords of my application, and the database in an external file -not the main config. I got my reasons though-. Now I want to encrypt that external file to protect my passwords, and not to hardcode them in my program. The funny thing is that I need a key, wich has to be the same in the Encrypting/Decrypting process. I don't want to hardcode that key -I know it's not the best practice-. Also I don't want to use the
File.Encrypt()method, as it's easily broken -using the Decrypt ethod BTW-, and assumes that the user has NTFS. I figured out an inconvenient way of maing the user's password, or my Assembly's GUID as that key.This is my last resort, but I'd really like to hear fresh ideas, as I'm out of!! PS. Currently I'm reading MSDN security section. Can you imagine how desperate I am now?Regards:rose:
-
Hello guys. I'm stuck in one of the silliest problems anyone would ever imagine. Alright, my application is a password protected database application. I know!! I've already put the passwords of my application, and the database in an external file -not the main config. I got my reasons though-. Now I want to encrypt that external file to protect my passwords, and not to hardcode them in my program. The funny thing is that I need a key, wich has to be the same in the Encrypting/Decrypting process. I don't want to hardcode that key -I know it's not the best practice-. Also I don't want to use the
File.Encrypt()method, as it's easily broken -using the Decrypt ethod BTW-, and assumes that the user has NTFS. I figured out an inconvenient way of maing the user's password, or my Assembly's GUID as that key.This is my last resort, but I'd really like to hear fresh ideas, as I'm out of!! PS. Currently I'm reading MSDN security section. Can you imagine how desperate I am now?Regards:rose:
The most used solution in cases like this is to store the Hash value of the password instead of the password itself. When a user tries to login, the program will compute the Hash code of the password provided by the user and compare it to the stored value. This is very secure, especially if you use strong hashing algorithm like SHA1. The .NET Framework provides exhaustive support for hashing. The only problem is that you no longer have the clear-text password. It might be a problem if the user forgets his password.
________________________________________________ Personal Blog [ITA] - Tech Blog [ENG] Developing ScrewTurn Wiki 2.0 (2.0 Alpha is out)
-
The most used solution in cases like this is to store the Hash value of the password instead of the password itself. When a user tries to login, the program will compute the Hash code of the password provided by the user and compare it to the stored value. This is very secure, especially if you use strong hashing algorithm like SHA1. The .NET Framework provides exhaustive support for hashing. The only problem is that you no longer have the clear-text password. It might be a problem if the user forgets his password.
________________________________________________ Personal Blog [ITA] - Tech Blog [ENG] Developing ScrewTurn Wiki 2.0 (2.0 Alpha is out)
First, thank you for your reply. I already applied that solution in the login password of the user. I now have some other sensitive data that I must encrypt in an external file. Where would I put the encryption key? That was my question -sorry if it wasn't clear the first time-.
Regards:rose:
-
First, thank you for your reply. I already applied that solution in the login password of the user. I now have some other sensitive data that I must encrypt in an external file. Where would I put the encryption key? That was my question -sorry if it wasn't clear the first time-.
Regards:rose:
I ran across the same problem. Since the application wasn't meant to be particularly secure, I just hard-coded the encryption key in the application, "hiding" it so that it doesn't seem a key but just an error message. In other words, there is a fictitious error message, and I use that string to generate the key using a method with a name like PerformOperations, so that it does not seem encryption-related. It's not very secure, but in my case it was enough.
________________________________________________ Personal Blog [ITA] - Tech Blog [ENG] Developing ScrewTurn Wiki 2.0 (2.0 Alpha is out)
-
I ran across the same problem. Since the application wasn't meant to be particularly secure, I just hard-coded the encryption key in the application, "hiding" it so that it doesn't seem a key but just an error message. In other words, there is a fictitious error message, and I use that string to generate the key using a method with a name like PerformOperations, so that it does not seem encryption-related. It's not very secure, but in my case it was enough.
________________________________________________ Personal Blog [ITA] - Tech Blog [ENG] Developing ScrewTurn Wiki 2.0 (2.0 Alpha is out)
Well. I guess I'd go for that if my time is cut short. Thanks for your time Dario.
Regards:rose: