"Gordon Knote" <an*******@discussions.microsoft.com> wrote in message
news:0C**********************************@microsof t.com...
Hi,
thanks for your answer. The reason why I can't store a hash is that the
password is stored only for the user's comfort so that he doesn't have to
enter it again and again. Unfortunately, the server the client talks to just
wants the password in plaintext, not hashed...so there's no choice for me. Sure, encrypting is quite a good idea, but with which key? How does
Microsoft solve the problem (e.g. in the internet explorer, or passport...)?
Well, don't you have any way to modify the Server application? :-)
If not, then you're facing a big problem here. You can for sure encrpyt it
with a symetric key, there are loads of free libraries out there that will
do that for you. However, the problem remains the same, where and how would
you store the key? I believe (i hope at least) that IE or the Microsoft
passport system are only storing hash of the passwords.
You can always go the easy way by using symetric encryption and do some
dirty things such as derivating the key from the processor serial number or
hardcoding it in your obfuscated code but all that will not discourage
anybody who really want to break your system. This is not in any way
something called security.
Sorry not to provide THE answer but i can suggest you to have a look at the
archives of this newsgroup: microsoft.public.dotnet.security or even post
your question there. You'll have maybe more usefull advices than here.
