473,695 Members | 1,926 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

How to securely store passwords in .NET applications?

How does Windows store passwords that it uses? For instance, when you
install a service, you can provide it the username and password. This
information is stored somehow so that at a later date the service can start
without interaction from the user. Also for COM+ components.

This is what I want to be able to do. I want the ability to store passwords
in a protected manor so that my .NET application can start a secure process
at a later time. Maybe some built-in mechanism in Windows or some framework
classes?

Nov 15 '05 #1
2 12572
Search for DPAPI (data protection API). Only available on XP though.

Another search you can do is Key Store. Some people have written managed key
stores or key stores that integrate with the older NT api. In any case, it's
also data protection used to store secrets (like encryption keys and
passwords).

-Rob [MVP]
"Peter Rilling" <pe***@nospam.r illing.net> wrote in message
news:Od******** ******@TK2MSFTN GP12.phx.gbl...
How does Windows store passwords that it uses? For instance, when you
install a service, you can provide it the username and password. This
information is stored somehow so that at a later date the service can start without interaction from the user. Also for COM+ components.

This is what I want to be able to do. I want the ability to store passwords in a protected manor so that my .NET application can start a secure process at a later time. Maybe some built-in mechanism in Windows or some framework classes?


Nov 15 '05 #2
Thanks.

I am using DP for some of my code so I am familiar with it. But I am not
sure if I can use it to secure my passwords.

Is this how Windows saves the passwords for a Windows services or COM+
component. From what I know about DP, it uses the credentials of the
current user as the key to the encryption/decryption of data. This is fine
if I want to limit the encrypted information to the current user.

Let's take an example of a Windows service (you know, the programs that can
automatically start when the machine boots). Suppose that I install a
service application. I give that application the username and password for
some account. That information is stored somewhere, I assume in some
secured format. Later that day, the machine starts up. Upon boot, the
service that I installed is launched. (At this point in time, there is no
user context, so I would image that this information is not stored using the
DP API.) The password is retrieved by Windows (whatever process controls
the launching of services) and what information is passed to the
LoginUser(...) where it then uses the returned ticket. The other
alternative would be to store information at the machine level, but then any
one with access to the machine and decrypt the information.

This is similar to what I would like to do. I want to encrypt some password
information. Store it. Then be able to use that information to call the
LoginUser(...) API function so that I can impersonate the current user when
my application requires certain resources. My application would be usable
by any account and my application should have access to a single username
and password that is defined by an administrator. This way, the application
can access these external resources by a single password, and that password
is secure so that none of the users to the system will be able to determine
what the is password and use it for other purposes.

"Rob Teixeira [MVP]" <RobTeixeira@@m sn.com> wrote in message
news:OX******** ******@TK2MSFTN GP10.phx.gbl...
Search for DPAPI (data protection API). Only available on XP though.

Another search you can do is Key Store. Some people have written managed key stores or key stores that integrate with the older NT api. In any case, it's also data protection used to store secrets (like encryption keys and
passwords).

-Rob [MVP]
"Peter Rilling" <pe***@nospam.r illing.net> wrote in message
news:Od******** ******@TK2MSFTN GP12.phx.gbl...
How does Windows store passwords that it uses? For instance, when you
install a service, you can provide it the username and password. This
information is stored somehow so that at a later date the service can

start
without interaction from the user. Also for COM+ components.

This is what I want to be able to do. I want the ability to store

passwords
in a protected manor so that my .NET application can start a secure

process
at a later time. Maybe some built-in mechanism in Windows or some

framework
classes?



Nov 15 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
4507
by: Guadala Harry | last post by:
What are my options for *securely* storing/retrieving the ID and password used by an ASP.NET application for accessing a SQL Server (using SQL Server authentication)? Please note that this ID and password would be different than the one the user enters for ASP.NET forms authentication. The ID/password in question is used by the application, itself, for accessing the SQL Server. Thanks in advance.
2
2090
by: ek1 | last post by:
Hi, I need a method in which to store data securely on windows XP/2003 using C#. By secure I want to a) prevent user reading and changing the data and b) prevent user copying over data I can solve the first problem easily by using encryption, however I do not know of any storage method which cannot be copied over. For example
5
5082
by: Macca | last post by:
Hi, My application uses passwords to limit access to certain parts of the app. I was considering storing these in my database but have heard that there can be problems with this. I have heard using the Global Assembly Cache (GAC) would be a good place. Does anyone have any opinions on this and how would I implement the GAC scenario?
0
1423
by: Daniel Di Vita | last post by:
I have three separate applications setup on an IIS server. Let’s call them AppA, AppB, and AppC. On AppA (the Default application) the user is presented with a login window. The login information is stored in a SQL Database. Depending on the user’s credentials they can be routed to AppB or AppC. I need to securely pass the user’s login name and unique identifier to either AppB or AppC. How can I, in ASP.NET, securely pass this...
0
1178
by: Nobody | last post by:
I'm new to ASP.NET, so I'm trying to write a simple store front to get me into things. Obviously with users and such, I need to encrypt the passwords. No problem there. I wrote a little encryption / decryption routine to provide a 2 way mechanism (to allow for emailing users the passwords). I'm using TripleDESCryptoServiceProvider with the EncryptedXml class. Anyways, I end up with a string (base-64 encoded version of the encrypted...
12
2591
by: ZEROFIVE | last post by:
Can anyone tell me how to go about making username and passwords for a site, that is in a securly fashion?
8
2553
by: Merk | last post by:
I'm looking for a safe and maintainable way to store connection string info (connecting to SQL Server 2005 from .NET 2.0 Windows Forms client app); things like server name or IP address and database name. I need to provide the client application with this info for connecting to both a test SQL Server and a production server. I would prefer to NOT hard-code this info into the client application, and App.Config seems rather unsafe as the...
0
1871
by: doron.grinstein | last post by:
A lot of architects tackle the issue of exposing internal web services and web applications to the Internet. How many times do you see a requirement such as "the application should be accessible to users behind the firewall (on the intranet) but also to users on the Internet"? Traditionally, architects had two choices - beg the network engineers and managers to "poke holes" in the firewall (unlikely), buy an expensive specialized...
5
2706
by: xkenneth | last post by:
Hi All, I'll shortly be distributing a number of python applications that use proprietary. The software is part of a much larger system and it will need to be distributed securely. How can i achieve this? Regards, Ken
0
8623
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, well explore What is ONU, What Is Router, ONU & Routers main usage, and What is the difference between ONU and Router. Lets take a closer look ! Part I. Meaning of...
0
8565
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
1
8839
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
8822
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
5837
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4339
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
4577
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
2997
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
3
1971
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.