tags:

views:

333

answers:

4
+5  Q: 

Ways around putting a password in code

I have a bit of code that needs to run with elevated privileges (more that I want the rest of my code running at).

I have my code that sets up the Impersonation working, but it requires a username, domain and password. As my code is in C#.net I know that the password can be found by anyone determined enough.

Is there a way to encrypt the password in my code? Or otherwise secure this password and still be able to pass it in?

Here is the code I am calling:

using (new Impersonator("UserNameGoesHere", "DomainNameGoesGere", "Password Goes Here"))
{
     uint output;
     NetUserAdd(AUTHENTICATION_SERVER, 1, ref userinfo, out output);
     return output;
}

I would love an example that shows how to fix this to not show my password in plain text.

I am using Visual Studio 2008, .NET 3.5 SP1, and running on Windows Server 2003.

+5  A: 

Can you use the CryptoAPIs? See the accepted answer:

http://stackoverflow.com/questions/40853/how-to-store-passwords-in-winforms-application

amdfan  2009-07-31 20:06:25
+4  A: 

Vaccano,

I would recommend investigating the data protection API (DPAPI) for what you're attempting to achieve. It is considered part of the solution in many best practice approaches to reversibly storing passwords needed by applications.

A good article discussing the DPAPI (and other techniques + concerns) can be found here:

http://msdn.microsoft.com/en-us/magazine/cc164054.aspx

With C# 2.0, P/Invoking isn't even required; managed wrappers exist:

http://blogs.freshlogicstudios.com/Posts/View.aspx?Id=41ca5a99-ddc0-4d0a-9919-2ce10bf50c7e

I hope this helps!

Sean McDonough  2009-07-31 20:09:58
Jon Galloway has some examples of implementing this... http://weblogs.asp.net/jgalloway/archive/2008/04/13/encrypting-passwords-in-a-net-app-config-file.aspx
CptSkippy  2009-07-31 20:15:39
+2  A: 

You didn't specify if this was a desktop or web app so...

ASP.NET 2.0 supports encrypting sections of the web.config.

CptSkippy  2009-07-31 20:14:25
Your Link in the comment for Sean's answer was the most useful. Thanks!
Vaccano  2009-08-04 15:31:52
http://weblogs.asp.net/jgalloway/archive/2008/04/13/encrypting-passwords-in-a-net-app-config-file.aspx
Vaccano  2009-08-04 15:32:39
+4  A: 

You have multiple options here.

  1. You can hash the password the very first time and store the hash to a file. Now the next time, you want to execute the code with elevated privileges, you need to accept/retype the password and re-compute the hash and match it with the stored hash. Only if it matches will you execute your code in elevation modes. You could hash using SHA. Please look at System.Crytography namespace for examples on hashing.

  2. Second option is to encrypt the password using algorithms like AES. However you will need to have a key to do this and you will have to worry about securing this key.

  3. Third option is to use DPAPI and encrypt the password but not worry about securing the keys - much easier option than 2.

I would recommend 1 if you do not mind re-entering the password every time the application starts. If that is not a possibility, I would suggest going with 3 and use DPAPI.

Here are some links to get you started.

1.http://www.obviex.com/samples/dpapi.aspx 2. http://www.obviex.com/samples/Encryption.aspx

msvcyc  2009-07-31 20:24:12
The suggestion to hash the password fails to take the rainbow table attack into account. The password must be "salted" before it is hashed. See http://www.codinghorror.com/blog/archives/000949.html
Wim Coenen  2009-08-04 15:16:07

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?