Password saving .NET

Question

0.00/5 (No votes)

See more:

I have a small app that needs user credentials to operate. Whats the best way(library) to store those credentials for later use using .NET Thanks in advance.

Posted 18-Apr-11 7:43am

apaka

Updated 18-Apr-11 7:44am

v2

Add a Solution

4 solutions

Solution 3

Like Nish said, there are way too many factors, situations, and possible requirements. We have no idea of the environment you're in, how secure it has to be, or anything even remotely associated with access control. It's a decision only you can make.

Posted 18-Apr-11 8:02am

#realJSOP

Comments

Sergey Alexandrovich Kryukov 18-Apr-11 15:47pm

This is an important note. My 5. That's why I emphasized on understanding of what encryption and hashing can deliver to the solution.
--SA

Solution 4

To add to what SA said: When you store a hash of a password, do not hash the raw password either: include the UserID or UserName or other unique-to-this-user information with it before you generate the hash.

Otherwise, if two users have the same password, they will have the same hash. This can be used to break into systems, by inserting your guess as to the password and comparing it to other users hash value. Since this isn't an attempt to log in with the wrong password it is difficult to spot as an intrusion attempt.

Additionally, since many users set the password to something they remember = "password" for example - a quick look at the database hashes can immediately isolate the likely targets for easy guessing.

Including the UserID with the password in the hash prevents these quite simply!

Posted 18-Apr-11 9:30am

OriginalGriff

Comments

Sergey Alexandrovich Kryukov 18-Apr-11 15:46pm

Thank you for good and important notes and further advices. My 5.
--SA

Sergey Alexandrovich Kryukov 18-Apr-11 16:19pm

Unfortunately, OP just asked about "reversible" password which would completely defeat the purpose of all that and would be morally unacceptable (if I understand it right), please see the last comments if you're interested. I commented and added the [EDIT]. I don't know how else to explain it...
--SA

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Nish Nishant · Accepted Answer · 2011-04-18T07:49:00

Solution 1

.NET comes with tons of Crypto APIs. Take a look here:

http://msdn.microsoft.com/en-us/library/system.security.cryptography.aspx[^]

You need to pick one based on whether you want one-way encryption, hashing, private keys, etc. Too many factors and choices there, so it's eventually up to you and based on what you need for your specific scenario.

Posted 18-Apr-11 7:49am

Nish Nishant

Updated 18-Apr-11 7:50am

v2

Comments

Tarun.K.S 18-Apr-11 14:19pm

Good advice. 5+

Nish Nishant 18-Apr-11 18:14pm

Thank you.

Espen Harlinn 18-Apr-11 17:39pm

Important link, my 5

Nish Nishant 18-Apr-11 18:14pm

Thanks!

Espen Harlinn 7-May-12 6:04am

Good reply :-D

Sergey Alexandrovich Kryukov · Accepted Answer · 2011-04-18T08:02:00

Solution 2

You should never ever store passwords in their original form. If you think about it: you never need them for authentication, as you can always compare encrypted log-in password with you stored encrypted password. With public-key cryptography, you also don't have to store a private key (which is a ciphering key in this case; knowledge of a public key helps to decipher, but not cipher).

You can also store cryptographic hash of the password.

For strong ciphering I would advice RSA, see http://en.wikipedia.org/wiki/RSA[^], use System.Security.Cryptography.RSA, System.Security.Cryptography.RSACryptoServiceProvider, see http://msdn.microsoft.com/en-us/library/system.security.cryptography.rsa.aspx[^]. You need to understand Public-key Cryptography, see http://en.wikipedia.org/wiki/Public-key_cryptography[^].

For the Cryptographic Hash approach, you need to understand how a Cryptographic Hash Function work, see http://en.wikipedia.org/wiki/Cryptographic_hash_function[^].
For a Cryptographic Hash function, you can use, for example the one from the SHA-2 family, see http://en.wikipedia.org/wiki/SHA1[^]. It is implemented in .NET, see http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha1.aspx[^].

Warning: Do not use MD5! (See http://en.wikipedia.org/wiki/MD5[^].) This algorithm is considered "broken", should never be used for any security purposes.

[EDIT]
In response to last comment by OP (on "reversible", see my response comment):
Assymmetric ciphering and public-key cryptography is based on the idea of one-way function, see http://en.wikipedia.org/wiki/One-way_function[^], see also trapdoor function: http://en.wikipedia.org/wiki/Trapdoor_one-way_function[^]. Everything is based on non-reversible algorithm.

[EDIT]

Also, don't use SHA-1 for security purpose — a security flaw was found. Please see
http://en.wikipedia.org/wiki/Sha-1[^].

—SA

Posted 18-Apr-11 8:02am

Sergey Alexandrovich Kryukov

Updated 7-May-12 6:20am

v4

Comments

Tarun.K.S 18-Apr-11 14:20pm

Good advice. 5+

Sergey Alexandrovich Kryukov 18-Apr-11 15:45pm

Thank you, Tarun,
--SA

apaka 18-Apr-11 14:36pm

I'm dealing with ftp and sftp user passwords. My idea is to encrypt them and store them in isolated storage and the decrypt the on use. It's all tricky for me because the project is probably be open source so it would be better to use some third party keychain utility, but if isn't something like that possible is the a sample way to encode an later decode a password. Thanks.

OriginalGriff 18-Apr-11 15:33pm

No, what SA is saying is: don't use encryption at all - use a hashing algorithm instead. The difference is that hashes cannot be reversed back to an enter-able password, but do not require a key which can be read: the only input is the data to hash. If you haven't got that, you cannot find out what it is! In this instance, much, much more secure than encryption / decryption.

OriginalGriff 18-Apr-11 15:31pm

Good advice - especially about MD5!

Sergey Alexandrovich Kryukov 18-Apr-11 15:44pm

Thank you, Griff.
For a record, I do recommend both encryption and hashing algorithm as two alternative approached; both can be used. The decision can be made based on required security scenario. That's why I emphasized on understanding of what encryption and hashing can deliver to the solution.
--SA

apaka 18-Apr-11 15:54pm

Thanks all but I need for passwords to be reversible so I could use it. I found this http://msdn.microsoft.com/en-us/library/tswxhw92.aspx it seems i can make algorithm different on every computer so I'll stick to that.

Sergey Alexandrovich Kryukov 18-Apr-11 16:09pm

What do you mean "reversible"? Do you mean that you need a way to crack the password it the user forgets it? Or you also need a way to impersonate your user without the user's consent?

I hope you mean something different.
If my guess is correct, you can figure out a way with some way based on the information you already have, but you need to 1) warn the used about this possibility; if I would be your user and figure out such fact without getting a warning from the company I would perhaps sue the company for such a dirty practices is it was possible; 2) stop using the terms "password" or "security"; 3) don't ask me for further help -- I'm not assisting with what I consider as unacceptable practice.

If this is something different, I'll gladly help if I can.
--SA

apaka 18-Apr-11 16:19pm

No user uses my app to log in on ftp o sftp server an do some stuff , so that he wouldn't type it every time he uses it(Remember password checkbox etc.)I want to encrypt the password save it and when app start to load it and log in on server.

Sergey Alexandrovich Kryukov 18-Apr-11 16:35pm

If a password is not typed every time, it is not a password ("remember me" on the servers is a wrong thing in my opinion), there are local password managers to avoid re-typing of the password on a secure personal computer based on a single master password; it should be up the user. However, you decide. If the password can be reversed by any means, the user should be warned and be able to opt it out -- this is a strong (maybe unwritten) law!
--SA

Sergey Alexandrovich Kryukov 18-Apr-11 17:24pm

Thank you for accepting this Solution.
Let me explain more in "remember me" option. I already explain it's unsafe and should be used optionally and with user consent only.
Also, you absolutely don't need to "reverse" (and never should) passwords. A personal password is much more valuable that a single session (however a session can be used to change password, but that should fully authenticate the used with old password).
"Remember me" simply means authentication by name, with no password. Think about it: implementing it via "remembered" password will (badly) decrease security, not improve it, while looking just the same from the user stand point.

In this way, I think I argued that the password should never should be made known to anyone but its creator.

--SA

Espen Harlinn 18-Apr-11 17:40pm

Very impressive effort, my 5

Sergey Alexandrovich Kryukov 18-Apr-11 22:13pm

Thank you, Espen.
--SA

Espen Harlinn 7-May-12 6:05am

Good reply :-D

Sergey Alexandrovich Kryukov 7-May-12 12:19pm

Thank you, Espen.
--SA