Check Network Password

  • Thread starter Thread starter henrycortezwu
  • Start date Start date
H

henrycortezwu

Hi all,
For example you have 2 text boxes:
tbxUsername = Environment.UserName.ToString
tbxPassword = ********

How do you check if the password entered by the user matches the same
network(windows) password of ther user?

Thanks,
Henry :)
 
You use LoginUser API, but it fails in Windows 2000 because you need
SE_TCB_NAME (act as part of the operating system) set. It's the $64, 000
question on how to set this because Windows 2000 security would be pointless

If you use XP then you are ok because the fuction succeeds

Remember to use Zero Memory to clear the password from memory afterwards

Crouchie1998
BA (HONS) MCP MCSE
 
Crouchie1998 said:
Remember to use Zero Memory to clear the password from memory afterwards

I wouldn't recommend that because the runtime can move the string object in
its lifetime before calling 'ZeroMemory' and thus still parts/copies of the
string's data can exist in memory. .NET 2.0 will contain a 'SecureString'
class which won't suffer from this problem:

'SecureString' Class ('System.Security')
<URL:http://msdn2.microsoft.com/library/7kt014s1(en-us,vs.80).aspx>
 
If you look at one of the KB articles about encryption then Microsoft use
ZeroMemory to clear the password. So, you are going against their
recommendations if you don't. Its also mentioned in the Platform SDK to use
it after using LoginUser API function.

What if the user is using the 1.0 or 1.1 Framework & not version 2.0 of the
Framework?

I am reading the Secure String article from the .Net Framework 2.0 Beta 2
Documentation & said that it 'should' be included in the final framework,
not 'would' as yet.

In the .Net Framework 1.0 & 1.1, I would recomment to use
ZeroMemory("[String]", [StringLength * 2])

In the old days of NT, it wasn't even used to clear the login password from
memory & I am not sure its used in XP, but is in 2000.

At the end of the day, it's up-to the user if they want a secure/insecure
application.

Crouchie1998
BA (HONS) MCP MCSE
 
Crouchie1998 said:
If you look at one of the KB articles about encryption then Microsoft use
ZeroMemory to clear the password. So, you are going against their
recommendations if you don't. Its also mentioned in the Platform SDK to
use
it after using LoginUser API function.

Do you have the URL of this article? I still think that this recommendation
is rather useless for .NET-based applications.
 
Crouchie,
| If you look at one of the KB articles about encryption then Microsoft use
| ZeroMemory to clear the password. So, you are going against their
| recommendations if you don't. Its also mentioned in the Platform SDK to
use
| it after using LoginUser API function.
I would say you are going against their "suggestion" if you don't. Not
"recommendations".

See the "sizeof? is there a .NET equivalent" thread in this newsgroup for
further info on the "problems" of calling ZeroMemory.

Keith Brown's book "The .NET Developer's Guide to Windows Security" from
Addison Wesley contains a plethora of information on security under Win32 &
specifically .NET. I want to say it included a discussion of "zeroing"
memory. You can access the book on-line at:
http://www.pluralsight.com/keith/book/html/book.html, unfortunately I don't
remember which topics discussed "zeroing" memory.

Thinking about it, it may have been one of Keith Brown's MSDN Magazine
articles that discusses "zeroing" memory in .NET, or possible even his
blog...

Hope this helps
Jay

| If you look at one of the KB articles about encryption then Microsoft use
| ZeroMemory to clear the password. So, you are going against their
| recommendations if you don't. Its also mentioned in the Platform SDK to
use
| it after using LoginUser API function.
|
| What if the user is using the 1.0 or 1.1 Framework & not version 2.0 of
the
| Framework?
|
| I am reading the Secure String article from the .Net Framework 2.0 Beta 2
| Documentation & said that it 'should' be included in the final framework,
| not 'would' as yet.
|
| In the .Net Framework 1.0 & 1.1, I would recomment to use
| ZeroMemory("[String]", [StringLength * 2])
|
| In the old days of NT, it wasn't even used to clear the login password
from
| memory & I am not sure its used in XP, but is in 2000.
|
| At the end of the day, it's up-to the user if they want a secure/insecure
| application.
|
| Crouchie1998
| BA (HONS) MCP MCSE
|
|
 
Crouchie,
Here's another article about SecureString.

http://msdn.microsoft.com/msdnmag/issues/05/01/SecurityBriefs/

Hope this helps
Jay

| If you look at one of the KB articles about encryption then Microsoft use
| ZeroMemory to clear the password. So, you are going against their
| recommendations if you don't. Its also mentioned in the Platform SDK to
use
| it after using LoginUser API function.
|
| What if the user is using the 1.0 or 1.1 Framework & not version 2.0 of
the
| Framework?
|
| I am reading the Secure String article from the .Net Framework 2.0 Beta 2
| Documentation & said that it 'should' be included in the final framework,
| not 'would' as yet.
|
| In the .Net Framework 1.0 & 1.1, I would recomment to use
| ZeroMemory("[String]", [StringLength * 2])
|
| In the old days of NT, it wasn't even used to clear the login password
from
| memory & I am not sure its used in XP, but is in 2000.
|
| At the end of the day, it's up-to the user if they want a secure/insecure
| application.
|
| Crouchie1998
| BA (HONS) MCP MCSE
|
|
 
Crouchie,
Yes I've seen that code as part of the "sizeof? is there a .NET equivalent"
thread in this newsgroup, the other day.

My statements still stand!

Hope this helps
Jay


| Jay, I have the Framework Beta 2 SDK on my development machine.
|
| Here's the article in which Microsoft use ZeroMemory like I described
| before:
|
| http://support.microsoft.com/default.aspx?scid=kb;en-us;301070
|
| You need to look at the very last few lines of code
|
| Crouchie1998
| BA (HONS) MCP MCSE
|
|
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Back
Top