How do I create a SECURE login/register system

Question

1.00/5 (1 vote)

See more:

Dear CodeProject,

I'm wondering how I can create a safe and secure Login / Register system for a application either I want to know how to use MySQL safe in C#.

Can anyone help me how to create a Login/Register and secure with MySQL in C#

Posted 19-Apr-15 4:22am

Member 11292906

Add a Solution

3 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sascha Lefèvre · Answer 1 · 2015-04-19T06:03:00

Regarding the aspect of password "storage": Never store the password in either plaintext or in encrypted form. Encryption can be broken. That's what allows hackers to steal passwords from websites that weren't engineered in a safe way. The basic idea is to store a hashcode of the password that can not be reversed to the password. And when the user wants to log on, you calculate the hashcode from his entered password once again and compare that to the stored hashcode. There are several things to keep in mind to implement this safely, please refer to this article: Salted Password Hashing - Doing it Right[^]

edit: That article only talks about the right way of doing it - the following articles also explain why other ways of doing it are bad:
http://www.darkreading.com/safely-storing-user-passwords-hashing-vs-encrypting/a/d-id/1269374[^]
https://wblinks.com/notes/storing-passwords-the-wrong-better-and-even-better-way/[^]
/edit

Regarding the aspect of using MySQL from C# - if you need help with that, please use this google-search which will show you several CodeProject-articles covering this: https://www.google.com/search?q=c%23+mysql+codeproject&ie=utf-8&oe=utf-8[^]

Rana Waqas · Answer 2 · 2015-04-19T05:38:00

Solution 1

When it comes to security their are many things by which we can secure our application.

If you are working with desktop application the basic thing is to create store procedure than you can use cryptography classes to save your password in encrypted format.
If you do not have those classes i wouldn't mind sharing it with you or reply this if you need brief article for this.

Posted 19-Apr-15 5:38am

Rana Waqas

Comments

Sascha Lefèvre 19-Apr-15 12:03pm

Sorry but this is bad advice. Whether or not you use a stored procedure doesn't have anything to do with it. That's just misleading but the main mistake is to suggest saving the password in encrypted form. That's how passwords can be hacked. Please see solution 3.

Rana Waqas 19-Apr-15 12:35pm

my bad.. but what i was trying to say that we have a private key with us which is combined with user's password to form a public key that is to be stored in our database. Now at the time of logining in that public key is decrypted and matches with the private key that we have it in our class and the user logs in.
If this process is hackable please let me know how? and just for the sake of reminder hope we are talking about windows form application not asp.net?

In addition i am a keen learner rather than teller that is why i am here at codeproject. Its a great place to be with people who are related to you who listen and answer you.
So, your any guidance related to topic will be very useful for me.

Sascha Lefèvre 19-Apr-15 13:01pm

Yes, it's hackable. Even if the hackers don't succeed in somehow directly obtaining your private key, they can run brute force attacks on the encrypted passwords. As soon as one or more passwords are weak (like "mypassword" or "abc123") they will figure out the key in reasonable time and be able to decrypt all passwords. Whether it's ASP.NET or Windows Forms is not relevant.

You should read the article that I've linked in solution 3 :-)

Rana Waqas 19-Apr-15 18:23pm

don't satisfied with your answer because what you are talking is exceptional cases. let suppose a user enters a password mypassword which is weak but you don't even know what key i am using on my side and obviously that key will be too much strong containing numbers and special character. These are billions of combinations that brute force attack can generate but still the person will die before he cracks it. In statistics there is a chapter called probability in which they teach us about making combination taking 3 or 4 as a digit. suppose if your password is of 10 digit than according to statistics we can generate more than 10 billion combination from it. suppose my key is ko 100 digit than you can't even image of breaking it.

Rana Waqas · Answer 3 · 2015-04-19T05:47:00

Solution 2

I found this brief article it might be very helpful to you.

Connect C# to MySQL[^]

Posted 19-Apr-15 5:47am

Rana Waqas

v2

Comments

Thanks7872 19-Apr-15 12:11pm

Don't post multiple solution no same question.