FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


[C#] Safe place to store information





Ironz
hey,

i have a questions concerning C#.

i have a program that requires logging in.
people have to enter their username and password and then login.
the problem is that i want to add a "remember password" feature where if checked, the password entered will be saved along with the username.
if it is not checked then the username will only be saved but not the password.

when the user opens the program again, all the usernames will be fetched and loaded and he can choose the one he wants and the password will be automatically added (that's if he previously checked the "remember password").
it's just like the msn, aim and all programs that require logging in.

But the question is: where do i save the password? and how do i do it?
what is the best way to do this?

Thank You.
Ironz
can anyone help me on this?

i have searched a lot and found that isolated storage is a good location to keep "encrypted" data but it has several problems:

first of all, it is user based, it's not a multi user option although it's not that big of a problem since one user should not retrieve the password of another.

another problem is that it is dependant on the location of the executable file so if i move the exe file from one place to another, the saved data will not be retrievable.

has anyone worked with this before and can provide advice?

Thank You.
AftershockVibe
Your program logs into another external system then right? Otherwise you'd need user and password info stored somewhere anyway.

With commercial applications this problem is avoided by implementing the login so that it doesn't actually require a password but only the encrypted password hash.

So, if you "remember the password" the computer only stores the hash for later use (one way encryption like MD5 or better) and if the user doesn't want this the password is just hashed by the program before being sent to the login system.

If the login system is not actually yours and requires the actual password text then there's not a lot you can do that works terribly well. The only way is reversible encryption to "save" the password in an encrpted form that can then be reversed if a key is also stored so at least there isn't a pure list lying around. However, this is a bit like having a password to get the password so there isn't a lot of point!
Stubru Freak
AftershockVibe wrote:
If the login system is not actually yours and requires the actual password text then there's not a lot you can do that works terribly well. The only way is reversible encryption to "save" the password in an encrpted form that can then be reversed if a key is also stored so at least there isn't a pure list lying around. However, this is a bit like having a password to get the password so there isn't a lot of point!


It's like hiding a key to open a safe containing another key.
Ironz
no the login system is not mine and the method you suggested works although i don't want to complicate the process for the users by adding another key that they have to remember so simply encrypting the passwords to make them unreadable is enough.

but i have searched a lot and found that isolated storage is a good location to keep "encrypted" data but it has several problems, like it is user based, it's not a multi-user option although it's not that big of a problem since one user should not retrieve the password of another.

i was also thinking about XML, since i can read the xml file and fetch the required data or can compare for the password and username.
it is easy and the xml just take no size.
But anyone can build an application that reads the xml and gather the data.

Thank You.
adhoc
If I couldn't get the hash thing to work, I would lay the burden of security where it should be: on the users operating system. But then again, I use a Mac and we have that nice Keychain thing.

What you could also do is be clever about generating the encryption key. For example, let your code get a hash of your application executable and then use that to encrypt the passwords, maybe throw some not-too-often-changing dates (year, month) and things in there, etc. Your users will have to re-enter their password every few weeks, but that shouldn't be a big deal.
Ironz
well i have actually found a custom class that uses the hashtable, serialization and isolated storage to manipulate and store application data.it's very easy to use and very small aswell.

the stored data are not humanly readable and i have signed my application so the data are now stored in a more "hidden" place.
charitharanasingha
Hey Buddies,

Can i suggest a simple way, when the user logs in first time, just save the username and password in a .Dat file or a .txt file, .Dat file will be fine.

So prior from next time use that file to gather the login details

I hope you are done
Fire Boar
charitharanasingha wrote:
Hey Buddies,

Can i suggest a simple way, when the user logs in first time, just save the username and password in a .Dat file or a .txt file, .Dat file will be fine.

So prior from next time use that file to gather the login details

I hope you are done


Then along comes the next guy, opens said file in a text editor and notes the username and password... yeah, that's not a good idea.
charitharanasingha
Fire Boar wrote:
charitharanasingha wrote:
Hey Buddies,

Can i suggest a simple way, when the user logs in first time, just save the username and password in a .Dat file or a .txt file, .Dat file will be fine.

So prior from next time use that file to gather the login details

I hope you are done


Then along comes the next guy, opens said file in a text editor and notes the username and password... yeah, that's not a good idea.


Hmm yeah may be but we can encrypt it and save in a .dat file will be fine isnt it ?
Fire Boar
charitharanasingha wrote:
Fire Boar wrote:
charitharanasingha wrote:
Hey Buddies,

Can i suggest a simple way, when the user logs in first time, just save the username and password in a .Dat file or a .txt file, .Dat file will be fine.

So prior from next time use that file to gather the login details

I hope you are done


Then along comes the next guy, opens said file in a text editor and notes the username and password... yeah, that's not a good idea.


Hmm yeah may be but we can encrypt it and save in a .dat file will be fine isnt it ?


And there you hit upon the crux of the issue. The extension makes not a lick of difference - files are just files, no matter if they're .dat, .txt, .png or whatever. The rest of the thread has been about how best to encrypt - you basically need a non-hashing algorithm, which means you need to store the key somewhere. That's tricky: the key is needed to decrypt, but typically you'll also need to keep the key on the same machine as the password. Systems like Gnome have a "keyring" feature where you enter one password, that password is then hashed and used as a universal key for encrypting all other passwords and password-like features with "remember me" boxes. The keyring is then unlocked once per login session by typing in the keyring password.

However, with Windows (and since this is C#, I assume it's Windows) there is no such system. You (the OP) are either going to need to come up with something else or settle for inferior security.
Related topics
Beware How You Google !!!
Online file storage
Help with PhpBB
A debate of religion, science, and more
how do i make a login page
Should your Baby be born at Home?
Home Brewing
Cookies
Investing: Preparing Financially For When Disaster Strikes
horror movie rules!!!
Uploading...
phpBB or CMS - what is better for not advanced user?
file lost -- help
Entertainment, Services and Information Portal
Reply to topic    Frihost Forum Index -> Scripting -> Others

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.