Login/Register
C# - Securely storing a password locally
Asked Answered
Solved c#.netsecuritypasswordskiosk
O

6

9

I'm creating a C# application that will lock out functionality (key combinations, windows task bar, etc.) in a Kiosk-style environment. One of the requirements is that some people should still be able to break out of the application using a key combination and a password.

The application itself is completely done, but I have not found a good way to store and check against a password. Everything should be stored locally (there is not check against a network database or whatever). How can I define a password for unlocking my application while also making this flexible (the ability to change the password without recompiling the application). How can I accomplish this in a secure way?

Osi answered 6/6, 2013 at 8:43 Comment(2)
Instead of DIY, how about setting up a local Admin account? Your app won't block Ctrl+Alt+Del anyway.Devisor
No, it won't. But the requirement is that one should be able to get full access to the current session. I can't change that unfortunately.Osi
E
5

The standard method for storing a password in a configuration file is to use a strong hash algorithm. Read the answer at How to store passwords in Winforms application? and maybe the wiki article at https://en.wikipedia.org/wiki/Cryptographic_hash_function

Embattled answered 6/6, 2013 at 8:48 Comment(1)
Note, that you should always salt your passwords before hashing to avoid rainbowtable attacks!Whitmire
B
8

Store a secure hash of the password, it doesn't need to be reversible.

When someone enters a password you hash that by the same algorithm and check it matches the hash.

Because you never store the actual password it's secure.

I recommend using a key stretching algorithm like PBKDF2. .NET has support for this using Rfc2898DeriveBytes or you can use System.Web.Helpers.Crypto.

In addition the password you use should be long (at least 12 chars, but longer the better) and salted with an extra string that stops attackers using a rainbow table attack.

Brosine answered 6/6, 2013 at 8:49 Comment(0)
E
5

The standard method for storing a password in a configuration file is to use a strong hash algorithm. Read the answer at How to store passwords in Winforms application? and maybe the wiki article at https://en.wikipedia.org/wiki/Cryptographic_hash_function

Embattled answered 6/6, 2013 at 8:48 Comment(1)
Note, that you should always salt your passwords before hashing to avoid rainbowtable attacks!Whitmire
W
4

I have to disagree with Brian, because as of now the standard method for storing passwords in any database is to "salt" (see Wikipedia for a detailed explanation) the password with a randomly generated value and store the hashed value and the salt in your "database" (see remarks). The salt is not a secret so you can store it in plain text. Whenever the user enters the password you read the salt from your file, apply it to the entered password and then apply your chosen hash algorithm. Then you compare the results with your stored hash. If they match, the user is authenticated. For a good (and entertaining :)) explanation why "just" hashing the password isn't enough, see: How NOT to store passwords! For a tutorial implementation of the salting and hashing process in C# see: C# Salting & Hashing Passwords

You can also find a good way to do this here: https://stackoverflow.com/a/12657970


For a quick reference, the process in pseudocode:

First password storage:

//get user input
username = GetUserName
password = GetPassword

//generate random salt
salt = GetRandomValue

//combine password and salt and apply hash
hashedPassword = Hash(password + salt)

//store hash value and salt in database
AddToDatabase(username, hashedPassword, salt)


User login:

//get user input
username = GetUserName
password = GetPassword

//read salt from database
salt = GetSaltFromDatabase(username)

//combine password and salt and apply hash
hashedPassword = Hash(password + salt)

//compare hash to stored hash value
correctHash = GetHashFromDatabase(username)
if (hashedPassword == correctHash) then
    passwordIsCorrect = True
else
    passwordIsCorrect = False
end if


Remarks:

  • This assumes that your usernames are unique as they are used as identifying key in your "database".
  • The "database" doesn't have to be any kind of "real" database, it can also be your configuration file or a plain text file.
Whitmire answered 5/1, 2015 at 13:0 Comment(0)
H
2

You can store a hash of your key and a password somewhere, for example in some local file. When person input key and password, you get hashes for this values and compare it with hashes in your file.

Hoeg answered 6/6, 2013 at 8:48 Comment(0)
B
1

You need a hash of the password and validate using the hashed text. Adding a salt can make your password more secure. In .Net, you can use System.Security.Cryptography.RNGCryptoServiceProvider .

Here is a good article talking about how to store your passwords and I use its way in my web application.

Berkeleian answered 6/6, 2013 at 8:56 Comment(0)
C
0

Is relatively easy using ProtectSection() and UnprotectSection() methods from SectionInformation class. See this article:

http://www.davidgiard.com/2012/06/05/EncryptingAndDecryptingApplicationConfigSections.aspx

http://msdn.microsoft.com/en-us/library/system.configuration.sectioninformation.protectsection.aspx

Cowry answered 6/6, 2013 at 8:48 Comment(3)
Good link, but answers shouldn't just be the link and nothing more.Brosine
There is a full article, much better than whatever short explanation i can give here ;-)Cowry
maybe, but links die off over time. By all means link to a longer article, but the answer should be complete should that link change.Brosine

© 2022 - 2024 — McMap. All rights reserved.