469,267 Members | 1,070 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,267 developers. It's quick & easy.

Best place to store passwords?

Hi,

My application uses passwords to limit access to certain parts of the app. I
was considering storing these in my database but have heard that there can be
problems with this. I have heard using the Global Assembly Cache (GAC) would
be a good place.

Does anyone have any opinions on this and how would I implement the GAC
scenario?

Thanks In Advance
Macca
Apr 20 '06 #1
5 4811
Hi,

You can stored it in the DB encripted.

No idea how to store it in the GAC , AFAIK the GAC is only for assemblies,
how you think to store a password there?
--
Ignacio Machin,
ignacio.machin AT dot.state.fl.us
Florida Department Of Transportation

"Macca" <Ma***@discussions.microsoft.com> wrote in message
news:03**********************************@microsof t.com...
Hi,

My application uses passwords to limit access to certain parts of the app.
I
was considering storing these in my database but have heard that there can
be
problems with this. I have heard using the Global Assembly Cache (GAC)
would
be a good place.

Does anyone have any opinions on this and how would I implement the GAC
scenario?

Thanks In Advance
Macca

Apr 20 '06 #2
Er... the Global Assembly Cache is just that, a cache of your
assemblies, i.e. your .DLL and .EXE files. If you hard-code your
passwords into your program, and you store your program in the GAC,
then, yes, you'd be storing your passwords in the GAC, albeit
vicariously.

I wonder if perhaps you mean Isolated Storage? That's where each
program gets a special unique location where it can read and write
internal (i.e. hidden from the user) data files, like application
settings, user settings, and the like. It's a much better way of doing
things than the registry, IMO. If that's what you mean, check out this:

http://www.dotnetdevs.com/articles/IsolatedStorage.aspx

But you should note that Isolated Storage is just a file system, so
unless you encrypt your password file somehow, anyone who understands
how your program is designed and .NET in general will be able to read
those passwords.

If this is a web application or an N-Tier application, I would suggest
that you follow Ignacio's suggestion -- store the passwords encrypted
on the database. That will allow you to keep the required passwords
identical no matter where the program is being used. If you stored the
passwords in Isolated Storage, and later changed them somehow, you'd
have to change the password for every installation of your application.
Big mess there.

Apr 20 '06 #3
Er... the Global Assembly Cache is just that, a cache of your
assemblies, i.e. your .DLL and .EXE files. If you hard-code your
passwords into your program, and you store your program in the GAC,
then, yes, you'd be storing your passwords in the GAC, albeit
vicariously.

I wonder if perhaps you mean Isolated Storage? That's where each
program gets a special unique location where it can read and write
internal (i.e. hidden from the user) data files, like application
settings, user settings, and the like. It's a much better way of doing
things than the registry, IMO. If that's what you mean, check out this:

http://www.dotnetdevs.com/articles/IsolatedStorage.aspx

But you should note that Isolated Storage is just a file system, so
unless you encrypt your password file somehow, anyone who understands
how your program is designed and .NET in general will be able to read
those passwords.

If this is a web application or an N-Tier application, I would suggest
that you follow Ignacio's suggestion -- store the passwords encrypted
on the database. That will allow you to keep the required passwords
identical no matter where the program is being used. If you stored the
passwords in Isolated Storage, and later changed them somehow, you'd
have to change the password for every installation of your application.
Big mess there.

Apr 20 '06 #4
sb
You shouldn't store passwords anywhere unless you absolutely have to (which
should be never). Instead, store a salted hash for each user's password
which can be verified by the app when the user types in their password. I
recommend Googling "C# salt hash" and reading through some of the many
articles out there on this common technique.

You can see the different hash functions inside the
System.Security.Cryptography namespace.

-sb

"Macca" <Ma***@discussions.microsoft.com> wrote in message
news:03**********************************@microsof t.com...
Hi,

My application uses passwords to limit access to certain parts of the app.
I
was considering storing these in my database but have heard that there can
be
problems with this. I have heard using the Global Assembly Cache (GAC)
would
be a good place.

Does anyone have any opinions on this and how would I implement the GAC
scenario?

Thanks In Advance
Macca

Apr 20 '06 #5
Store the (encrypted) passwords in a database, or store them
(encrypted, again) in a .config file, depending upon the application.

Apr 20 '06 #6

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

15 posts views Thread by Joshua Beall | last post: by
reply views Thread by Anonieko Ramos | last post: by
3 posts views Thread by Thirsty Traveler | last post: by
32 posts views Thread by David Isaac | last post: by
8 posts views Thread by Jassim Rahma | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by suresh191 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.