Secure password storing

G

Guest

Hi

In my application I need to store a password the user enters (unfortunately not a hash of it, but the password as a plaintext string). Is there any secure way to do so (by Visual Basic .NET)

Thanks
Gordon
 
F

Frank Eller [MVP]

Hi Gordon,
In my application I need to store a password the user enters
(unfortunately not a hash of it, but the password as a plaintext
string).

Why not the Hash ...? That's the safest way ...
Is there any secure way to do so (by Visual Basic .NET)?

The only way to store something securely is to encrypt it. You can never
save a password as plain text and be on the secure site. But there'S
possiblilities in .NET to encrypt and decrypt passwords (encrypt it before
it is stored, decrypt it before you check it ...). Looak at the
System.Security.Cryptography namespace.

Regards,

Frank Eller
www.frankeller.de
 
G

Guest

Hi

thanks for your answer. The reason why I can't store a hash is that the password is stored only for the user's comfort so that he doesn't have to enter it again and again. Unfortunately, the server the client talks to just wants the password in plaintext, not hashed...so there's no choice for me
Sure, encrypting is quite a good idea, but with which key? How does Microsoft solve the problem (e.g. in the internet explorer, or passport...)

Thanks so fa
Gordon
 
E

Elp

Gordon Knote said:
Hi,

thanks for your answer. The reason why I can't store a hash is that the
password is stored only for the user's comfort so that he doesn't have to
enter it again and again. Unfortunately, the server the client talks to just
wants the password in plaintext, not hashed...so there's no choice for me.
Sure, encrypting is quite a good idea, but with which key? How does
Microsoft solve the problem (e.g. in the internet explorer, or passport...)?

Well, don't you have any way to modify the Server application? :)

If not, then you're facing a big problem here. You can for sure encrpyt it
with a symetric key, there are loads of free libraries out there that will
do that for you. However, the problem remains the same, where and how would
you store the key? I believe (i hope at least) that IE or the Microsoft
passport system are only storing hash of the passwords.

You can always go the easy way by using symetric encryption and do some
dirty things such as derivating the key from the processor serial number or
hardcoding it in your obfuscated code but all that will not discourage
anybody who really want to break your system. This is not in any way
something called security.

Sorry not to provide THE answer but i can suggest you to have a look at the
archives of this newsgroup: microsoft.public.dotnet.security or even post
your question there. You'll have maybe more usefull advices than here.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top