Clue Bat

Uh a "clue bat" ? You're kidding, aren't ye ? See, that stuff is totally off-standard and so has been for years now, if you need an educational helping device, you'd better pick something which is conform to RFC-2321, not only it will be useful to educate users, but it will also be of help with networking and computing issues https://tools.ietf.org/html/rfc2321 ;-)

I see; given your situation there may be another possible solution; assuming that the webservice you're calling is hosted on a different box (or instance), and given that you don't have the code for the service, you may create your own webservice app, embed the user credentials into such an app and install it on the same (or another) box/instance where the regular webservice lives, this way, your webservice will act as a "proxy" so that your winforms app will call your webservice w/o any credentials and the latter will act as a "proxy" to the real webservice (and will pass it the needed credentials)

forgot; as for encrypting/decrypting, you may use the following code (not mine, but I'm sorry to say I don't remember where I found it)

// Encrypt the given string using AES. The string can be decrypted using
// DecryptString(). The sharedSecret parameters must match.
public string EncryptString(string plainText, string sharedSecret)
{
if (string.IsNullOrEmpty(plainText))
throw new ArgumentNullException("plainText");
if (string.IsNullOrEmpty(sharedSecret))
throw new ArgumentNullException("sharedSecret");

string outStr = null;                       // Encrypted string to return
RijndaelManaged aesAlg = null;              // RijndaelManaged object used to encrypt the data.

try
{
    // generate the key from the shared secret and the salt
    Rfc2898DeriveBytes key = new Rfc2898DeriveBytes(sharedSecret, this.\_salt);

    // Create a RijndaelManaged object
    aesAlg = new RijndaelManaged();
    aesAlg.Key = key.GetBytes(aesAlg.KeySize / 8);

    // Create a decrytor to perform the stream transform.
    ICryptoTransform encryptor = aesAlg.CreateEncryptor(aesAlg.Key, aesAlg.IV);

    // Create the streams used for encryption.
    using (MemoryStream msEncrypt = new MemoryStream())
    {
        // prepend the IV
        msEncrypt.Write(BitConverter.GetBytes(aesAlg.IV.Length), 0, sizeof(int));
        msEncrypt.Write(aesAlg.IV, 0, aesAlg.IV.Length);
        using (CryptoStream csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
        {
            using (StreamWriter swEncrypt = new StreamWriter(csEncrypt))
            {
                //Write all data to the stream.
                swEncrypt.Write(plainText);
            }
        }
        outStr = Convert.ToBase64String(msEncrypt.ToArray());
    }
}
finally
{
    // Clear the RijndaelManaged object.
    if (aesAlg != null)
        aesAlg.Clear();
}

// Return the encrypted bytes from the memory stream.
return outStr;

}

// Decrypt the given string. Assumes the string was encrypted using
// EncryptString(), using an identical sharedSecret.
public string DecryptString(string cipherText, string sharedSecret)
{
if (string.IsNullOrEmpty(cipherText))
throw new ArgumentNullException("cipherText");
if (string.IsNullOrEmpty(sharedSecret))
throw new ArgumentNullException("shar

I think you're approaching the issue the wrong way, see, you DON'T need to know the password (nor to store it); all you need to do is checking that it is correct For such a task, all you'll need will be using an MD5 "salted" hash; just to be clear, let's say you have the following code

// generates the unique (salted) hash of a string
private static string getKey(string sSalt, string sKey)
{
Byte[] originalBytes, encodedBytes;
MD5 hash = new MD5CryptoServiceProvider();
// or: SHA256 hash = new SHA256CryptoServiceProvider();

// generate the hash value
originalBytes = ASCIIEncoding.Default.GetBytes(sSalt + "." + sKey);
encodedBytes = hash.ComputeHash(originalBytes);

// turn the hash to a string and return it
string sResult = BitConverter.ToString(encodedBytes).Replace("-", "");
// or: string sResult = Convert.ToBase64String(encodedBytes);
return sResult;

}

now, in your login form, you ask to enter a username and a password, let's say you get back "jdoe" and "supersecret", at this point, you just call the above function this way

string hashValue = getKey(userName, userPass);

and the hashvalue will now contain something like "752dcc62c07fb4652981add596e1427b" now, with this value in your hands, you run a query on your database user table seeking for the user name (jdoe) and, if found, you compare the salted MD5 hash stored as the password with the one you just generated and, if they match, you grant access to the user. At this point, in case you need to use the password "in clear", you may just encrypt the password you received and store it into a session cookie, this will give you VOLATILE (temporary) storage and, while it will allow you to retrieve the password for the session lifetime, you won't in reality store the password anywhere on your server and... retrieving a password from a salted hash isn't exactly an easy task, believe me :) HTH