473,320 Members | 2,027 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Where to save program password securely?

Subin Ninan
I have created a user specific windows application in c# which requires password to login.

This is what application does:

1) Application checks for the users password in registry.
2) if password exist, it asks for password.
3) if password is not found in registry, it shows set password form.

The problem arise when an unauthorised user deletes this registry key. Program asks to set password if registry key is not found.

Any idea where to save password or any other approach?
Oct 6 '10 #1
8 9379
cloud255
427 Expert 256MB
Saving a password in the registry is really not a good idea. If your application is using a database the user credentials should be hashed and stored in the DB.

If you are not using a database you could store the password in the application's config file and then encrypt the relevant part of the config file.

If you insist on using the registry you could try to name the key something other than password, encrypt the actual password value and store that.
Creating a registry entry which seems like it belongs with the application should fool most users, but this is truly not a good approach.
Oct 9 '10 #2
My application is not using any database. Same problem will arise if I use config files to store password. If config file is deleted or application is reinstalled, old password will be lost.
I am currently storing hashed password in registry, but there are some registry monitoring tools available which can track exact location of registry key used by application.
Check out my application and let me know how to overcome this problem. Google search with "secure folder 2.1 subin ninan" to get my application.

Thanks for your reply.. :)
Oct 9 '10 #3
Sfreak
64
Encapsulate this password on a file inside system32 folder with a very scary name like winsjtd.onr (lol) better then read from registry.
Oct 9 '10 #4
:) thanks for your reply.
This will result in an IOException in windows vista & windows 7. (lol)
I tried this trick before i come to know about registry. Have a look at nirsoft.com. Lots of amazing tools are there like regfromapp & filefromapp which monitors registry keys & files accessed by application.
How does professional softwares stores password?
Oct 9 '10 #5
Sfreak
64
I think the issue is not the way you save the file (database or file) is the way you manage the login. Do you save data in your application?
Oct 11 '10 #6
Problem in this case in not where or how password is stored but the way application behaves when password is not found.

Application checks for password, if password is found it shows "login" form. If password is not found(first time execution), it shows "set password" form.
Problem is when someone deletes file/registry key where password was stored, in this case application again shows "set password" form.

I can't figure out how to add login functionality in my application.

Need help regarding STEPS INVOLVED in setting password and authenticating user.
Oct 11 '10 #7
Joseph Martell
198 Expert 128KB
Unfortunately, there is no good way around your problem. If you store the password on the local machine then the user can find a way to delete your file or registry entry no matter what. Using obscure registry keys or a random file in a random directory makes it less likely that someone will delete the file on purpose. If it is a user like me, it makes it more likely that I will delete the file because I think it is a random file or key in my registry that a sloppy program left behind, and I despise those.

There are probably very robust ways to do this, but you could link the password to the data. You could do something like hash the user's password with a private, randomly generated, fixed-length key and store the result in a file. In order to access the system the user must provide the matching password. The key that was hashed with the user's password is then used to decrypt/encrypt the data your program uses. As a final piece to the puzzle, if no password is found, you delete the data files for your program and force a fresh system.

This does a couple of things. First, you don't need random files or registry keys. You can actually keep the user's system clean because your security and system stability don't depend on chance. Second, if someone erases the password file, the data is destroyed. There is no way to bring the data back unless they back up the data and the password file and restore them both. Third, if a malicious user replaces the password file with one of their own they still have not defeated your system. The data still cannot be deciphered because they just threw away the key to decrypt the data. Finally, your hash algorithm is harder to decipher because the same password wont generate the same file twice (because you hash a random key with it).

If someone gets into your machine code and deciphers your hash algorithm, then you could be in trouble. I don't know how far you want to take this though.
Oct 11 '10 #8
Thanks for your help, how can I generate random key(salt) to hash password? In this case, I think both hashed password and key need to be saved on users system.
Can I use current user account name or IP address of system as key(salt) to hash password?
How does the application know if the password is deleted or it is executed for the first time(password not set)?
My application is a folder-lock type software, and user should not access locked folders by re-installing the application. So password file/registry key is not set/removed during installation.
I am totally confused!!
Oct 12 '10 #9

Sign in to post your reply or Sign up for a free account.

Similar topics

14
by: Todd Johnson | last post by:
I am creating a dialog in wxPython for log in purposes. Basically when the user clicks the ok button, the dialog box saves the user name and password as class attributes. Then as long as the...
11
by: Florian Lindner | last post by:
Hello, I've a scripts that allows limited manipulation of a database to users. This script of course needs to save a password for the database connection. The users, on the other hand need read...
3
by: Gordon Knote | last post by:
Hi In my application I need to store a password the user enters (unfortunately not a hash of it, but the password as a plaintext string). Is there any secure way to do so (by Visual Basic .NET) ...
0
by: GATMAN | last post by:
hello I'm using .nets windows installer wizard, how do i get the instalation to create a program group and icon to the installed program, it made them automatically in vb6(setup and deployment...
4
by: anand | last post by:
Hi, I have an Access 2000 database, which contains some native tables, and some linked tables which belong to an ORACLE database, through ODBC. Using VB.NET, I am trying to fetch some data by...
4
by: Jefferson Cowart | last post by:
I'm writing a program for a college to use to allow students to register their computers for use on the network. Aside from a bunch of security related checks I would like the program to offer to...
6
by: clusardi2k | last post by:
Hello again, I have to go home and read up on Access. But, I have read else-where in this newsgroup that I can just save the password in the database under scrutiny. Wouldn't it be wasteful...
1
by: Rob Nicholson | last post by:
I've managed to write an ASP.NET v2 web page where the prompt to save the password doesn't appear :-( Not sure why it's not working. Autocomplete on the text boxes is working but when you enter...
8
by: DevInCode | last post by:
I'm working on a site that has been left to die for a few years. There is a login to access a certain part of the site. I can't figure out where this password is stored. When the private html...
8
by: kini113 | last post by:
I want to update my database every night at 10pm. I have a Macro that runs all of the queries needed to update the database (which is also saved as a VBA module) and an AutoExec Macro to runs the...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.