Properly securing login information for a C# Windows Forms application

Question

5.00/5 (2 votes)

See more:

Hi,

I am writing a Windows Forms application which requires the users to log in. I have done this before. The method I used last time was storing the usernames / passwords in a file which could be encrypted / decrypted as required by the program. But I hard coded the key into the program like this:

C#

private RijndaelManaged rm = new RijndaelManaged();

        byte[] key =
            { 12, 84, 46, 77, 09, 27, 99, 65, 92, 84,
              52, 57, 35, 95, 75, 57 };

        byte[] IV =
            { 12, 84, 46, 77, 09, 27, 99, 65, 92, 84,
              52, 57, 35, 95, 75, 57 };

This is obviously a bad idea. How can I store / distribute keys securely outside the program?

Posted 19-Oct-11 5:34am

Macro Man

Add a Solution

Comments

Sergey Alexandrovich Kryukov 19-Oct-11 12:10pm

Good question, my 5.
Now, what's the purpose? Why do you want to store password? Is this because you want to reuse it to log automatically somewhere else later using the same username/password? Is so, you need to encrypt it well, and use no files, even encrypted. If you want to log to just your application, storing password is not needed at all. Do you realize it?
--SA

Macro Man 20-Oct-11 4:02am

The purpose is simply validation, to log in to the application. I want to control who uses the application by creating an 'account' for them. They of course need the ability to change the initial password. These details must be stored somewhere in some form. Encryption is essential of course. But, as displayed above, the encryption key must also be stored somewhere (either in the program or somewhere else). Anyone using Reflector or an MSIL viewer will be easil able to decrypt my accounts file.

Mehdi Gholam 19-Oct-11 13:15pm

Whats wrong with using windows authentication instead of storing password?

Macro Man 20-Oct-11 4:04am

Users may be using a guest account. Accounts and permissions in my application need to be independant of Windows.

Mehdi Gholam 20-Oct-11 4:08am

If you are using a database, just store them in your database instead of locally.

Macro Man 20-Oct-11 4:34am

If I store them in a database it implies that my program can access it, and also anyone looking at my code, or anyone with a valid connection string.

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

fjdiewornncalwe · Accepted Answer · 2011-10-19T07:45:00

Solution 2

I agree with both comments listed above, but another option is to store only the encrypted username password token. Do not at any time store the username and password separately in a file. That is a security risk in itself. Using a token will allow you to validate against the token instead of the username/password as separate entities.

Posted 19-Oct-11 7:45am

fjdiewornncalwe

Comments

Macro Man 20-Oct-11 4:06am

Could you elaborate on this token validation / provide a basic example?

fjdiewornncalwe 20-Oct-11 12:48pm

It would be hard to provide a basic example. The concept is to take the username and password, combine them in code and create a single encrypted fixed length token. You do this the same every time users come to the site, but you compare the tokens and don't at any time deal with the raw username and password on your disk or db.

Macro Man 21-Oct-11 4:50am

This, and the hashing suggested by shacharKl below (assuming the hash itself is encrypted) is more secure than directly encrypting the username and password, but any sort of encryption brings us back to the original question. How can I encrypt anything without hard-coding into my application everything that someone would need to decrypt it?

fjdiewornncalwe 21-Oct-11 10:57am

Not really. If you use one-way encryption then you aren't providing any algorithms of any kind for decryption. The only way to get a token is for the user to provide a valid username/password combination. Once encrypted into the token, it would be extremely difficult for someone to decrypt and there is nothing in your source that can be used to help that along much. Although no encryption is fullproof, the amount of time required to decrypt a token like this would be monumental and simply not worth anyone's time.

Macro Man 21-Oct-11 11:39am

I see. I understand you don't have the time to write up an example of this, but could you possibly point me to some resource that will help me get started? As stated above, I have used encryption before but I now require a 'professional' implementation.

Member 8086285 3-Dec-11 8:49am

i am making a windows application in .NET using c# (like management system).i need to enter username and password for login .And i wants that if any user forget password then software will send his new password at his e-mail id.
how is this possible?
if anyone know this please send me whole information with code at these e-mails,
1-deepaknagwan18@gmail.com
2-deepakvats@india.com

ShacharK · Accepted Answer · 2011-10-19T17:22:00

Solution 3

You could choose yourself a hashing pattern.
MD5(username+"$!#$"+password+username.Reverse) - for instance.
Keep only the valid hashes, and then you could authenticate a given username & password. The hashing pattern is not hidden, but I think that it would be more challenging to crack, if your pattern is unusual.

Posted 19-Oct-11 17:22pm

ShacharK

Comments

Macro Man 20-Oct-11 4:17am

So far as I can see this is less secure than encryption - assuming the hashes are not themselves encrypted, that is. Also, this method has exactly the same flaw described in my original post. There's nothing stopping people looking at my code.

ShacharK 21-Oct-11 20:20pm

Yes, but an "interesting" pattern can slow down many brute-force attacks... I didn't say that it makes encryption obsolete... Nothing does, but its another security measure.

Member 8086285 3-Dec-11 8:47am

i am making a windows application in .NET using c# (like management system).i need to enter username and password for login .And i wants that if any user forget password then software will send his new password at his e-mail id.
how is this possible?
if anyone know this please send me whole information with code at these e-mails,
1-deepaknagwan18@gmail.com
2-deepakvats@india.com