|
It is never a good idea to store a password in plain text. Best is to Encrypt the password and store the encrypted value.
Excellence is doing ordinary things extraordinarily well.
|
|
|
|
|
Even if it is Open Source?
What kind of key shoud Should i use? Use Profile ID or PC Fingerprint?
Witch encryption method do you sugest?
|
|
|
|
|
You can prompt the user for a "master" password that you use to encrypt/decrypt the stored passwords.
|
|
|
|
|
Whell it seems i woud have to do with a user typed password. I will add for a user to chose how to store a password.
|
|
|
|
|
Use the RsaProtectedConfigurationProvider Class in the System.Configuration namespace to encrypt / decrypt configuration data.
|
|
|
|
|
For password, what I generally do.. Is we encrypt the password using MD5 hash. This is one way encryption algorithm, so it cannot be decrypted. Now when you want to check, First encrypt the user input and then check with the existing.
Say for instance:
your password is "hello", we encrypt it and store say its "#548sfj"
now if the user inputs "hello" again from UI, you are going to encrypt it to get "#548sfj" and then compare them. This way you can remove the risk of stealing your password(as most of the people uses same password for many logins).
To use MD5 Hash use this Function :
public static string EncryptPassword(string Password)
{
byte[] data = new byte[15];
MD5 md5 = new MD5CryptoServiceProvider();
data = Encoding.ASCII.GetBytes(Password);
byte[] result = md5.ComputeHash(data);
return Encoding.ASCII.GetString(result);
}
Now after you encrypt store the password anywhere... such as XML file, config files, Database etc.
Hope you like my solution.
|
|
|
|
|
But this works only if you need to validate a user, you can't use this method to log in to another service (for example if the app uses the stored credentials to log in to an FTP server).
|
|
|
|
|
Oh yes.. If the password is required exclusively by another application or Service ( As you are talking about FTP) you need to think it otherwise.
You might then use Rijndael to encrypt them with a secret key. Place the secret key into your application, so that even if the user finds data, he cant find the key in config files rather the compiled code holds them.
You can also use encryption tools to encrypt the whole config files too. But in that case the actual motive to change the configuration couldnt be achieved very easily.
If you need the code on how to use Rijndael Encryption, I can help you in this too.
|
|
|
|
|
Then the key is not secret.
|
|
|
|
|
At least better than writing in Web.config.
|
|
|
|
|
Sure, but you've only obfuscated the password, not actually encrypted it
(taking the MD5 of as you said earlier works, because it's not reversible)
|
|
|
|
|
Yes... I always use when I store password for my own system.
But the user wants to decrypt the string as well. You might got this already from previous discussions ..
|
|
|
|
|
You do know that MD5 has been shown to be weak, right?
|
|
|
|
|
Hey Dave....
You mean MD5 hashing is not secure enough and easily broken(even if it is one way hash)
Should I opt for Sha-1 or Sha-2 ?
|
|
|
|
|
If your passwords are sensitive you should use a stronger hash function, like SHA. Some security flaws were identified in SHA-1 (see wiki[^]), so you should use SHA-2 (224, 256, 384 and 512 bits).
|
|
|
|
|
Yes.. You are right. I was also thinking the same.
Thanks for your help.
Cheers.
|
|
|
|
|
Yes. MD5 is not very strong. SHA256 and 512 works best with random salt.
Best wishes,
Navaneeth
|
|
|
|
|
Thank you so much for your help. It was already in my mind to change this to SHA-2 hash. Just as you suggested, I think its time to change
|
|
|
|
|
No matter what you do to it, people using the program will have both the data and the code to decrypt it. You can only delay them. However, if you leave it as plain text even the silliest noob could read it (on the other hand, you'd have more to fear from actual hackers, not the noobs)
|
|
|
|
|
ha ha ... if you fear about users who uses Reflectors to get strings... DotFuscator would be your option...
In DotFuscator there is also an option to encrypt string in dlls.
|
|
|
|
|
That wouldn't solve the problem, nothing would, the problem is impossible to solve
|
|
|
|
|
Ya I agree. Even though using DotFuscator .. It can also be cracked quite easily...
So I think we are thinking too much unnecessarily..
The actual author might have already found the solution lol.
|
|
|
|
|
Yea you're probably right
|
|
|
|
|
On my last project I had to have a Windows Service Telnet into a Unix system, so I had to store the username and password. I stored them in a database with other configuration data. Only users with access to the configuration database would able to see them.
|
|
|
|
|
hi dudes,
i want to copy a table from an access database to another table on another access database in windows application using c#,what is the best solution,i dont want my application to hang while copying the data,i will be thankful.
and how can i make a progress bar and relate it to this copy so it will show how much further is needed to be done.u would solve a big problem of mine by answering me,thank u all.
|
|
|
|