Encrypted Data Storage ? HowTo ?

[Microsoft]

Im trying to do a new app where i can store most of my passwords, basically
another "Password Keeper" style tool....
Question about this is what is the best way to store the data, as a plain
XML or MDB is totally insecure im wondering what other choices i do have and
how do i can implement them..

Forgot to mention that im using VB.net 2005...

Thanks

 

[Joe Kaplan \(MVP - ADSI\)]

Why not look at Keith Brown's Password Minder program? He's a known
security expert and put a fair amount of effort into getting this right. He
also publishes the source for the tool.

http://www.pluralsight.com/tools.aspx

Joe K.

 

[Cor Ligthert [MVP]]

Hi,

The typical behaviour from a password is that you don't store them.

Although some new fingertip and eye recognazion tools do that and are build
for that like a key. And don't loose your key because than your house is
open again.

If it about the a password storage tool, than is a newsgroup not the best
place how to do that. The method is than without sense because it is direct
to search for in Google.

There are many methods on MSDN, if I want to search for that, than I search
for "Rijndael". In one of those I live.

I hope this helps,

Cor

 

[Eugene Mayevski]

Hello!
You wrote on Sat, 18 Mar 2006 02:28:57 -0300:

M> Question about this is what is the best way to store the data, as a
M> plain XML or MDB is totally insecure im wondering what other choices i
M> do have and how do i can implement them..
M> Forgot to mention that im using VB.net 2005...

You can take a look at SolFS (http://www.eldos.com/solfs/), which is a
virtual file system with built-in strong encyrption and compression.

With best regards,
Eugene Mayevski

 

[Michel Posseth [MCP]]

You might consider the credit card storage aproach

i.o.w. a one way hash ,,,, the validation data is encrypted with a one way
hash algorythm ,,, so the creditcard number that a users entest is also put
through this same algorythm and compared to the validation data ..

Advantage ,,,

No one knows the actuall data except the user , even the database
administrator can`t retrieve his password as it is not known to him ( you
could even extend this technique to a XML or "flat" file )

here is a verry nice article to give you some idea`s
http://www.devx.com/dbzone/Article/26726/0

regards

Michel Posseth [MCP]

 

[C-Services Holland b.v.]

You might consider the credit card storage aproach

i.o.w. a one way hash ,,,, the validation data is encrypted with a one way
hash algorythm ,,, so the creditcard number that a users entest is also put
through this same algorythm and compared to the validation data ..

Advantage ,,,

No one knows the actuall data except the user , even the database
administrator can`t retrieve his password as it is not known to him ( you
could even extend this technique to a XML or "flat" file )

here is a verry nice article to give you some idea`s
http://www.devx.com/dbzone/Article/26726/0

regards

Michel Posseth [MCP]

How is that going to help? Storing a hash of the passwords so that they
are not retrievable... when the whole point of his app will be to store
passwords so he CAN retrieve them, at least that's how I read his
question. He just needs a way to store them safely.

 

[Michel Posseth [MCP]]

ouch .......

yes you are right,,, i was totally wrong understanding his intention ,,,,,
( i need to read more carefully before i answer

regards

Michel

You might consider the credit card storage aproach

i.o.w. a one way hash ,,,, the validation data is encrypted with a one
way hash algorythm ,,, so the creditcard number that a users entest is
also put through this same algorythm and compared to the validation data
..

Advantage ,,,

No one knows the actuall data except the user , even the database
administrator can`t retrieve his password as it is not known to him (
you could even extend this technique to a XML or "flat" file )

here is a verry nice article to give you some idea`s
http://www.devx.com/dbzone/Article/26726/0

regards

Michel Posseth [MCP]

How is that going to help? Storing a hash of the passwords so that they
are not retrievable... when the whole point of his app will be to store
passwords so he CAN retrieve them, at least that's how I read his
question. He just needs a way to store them safely.