tags:

views:

38

answers:

2
Q: 

How do I safely store a password in a file??

My program requires password to open some features. The password can be set by an administrator. My app stores the password in a file. But, if the file was deleted or damaged, the app loose the password. Another scenario is if the file was replaced with original file then the password will be empty. Any suggestions about storing a password in a file?

edited : My app has a feature. The feature is protected by a password that can be set by a admin (owner of the PC). Guest should enter password to disable that feature. OS : Windows

A: 

You can't protect the file from being deleted. In that case just don't allow any user to log in to your application (same applies if the password is empty).

If you store passwords in a file (or anywhere really) you should hash them (e.g. using md5 or sha1). So they can't be read in plaintext. To check the password during login just do (basic example in php):

$password = file_get_contents('password.file'); // Outside webroot of course
if(md5($_POST['password']) == $password) {
    // Login OK
}
halfdan  2010-09-24 09:03:56
A: 

What kind of program ? Which platform ? Windows, mac, linux, android ?

Files can always be deleted or replaced, one way or another. You can put it somewhere "safer" where the user can't find it easily, but if depends of the platform.

Loïc Février  2010-09-24 09:04:03
Security through obscurity (http://en.wikipedia.org/wiki/Security_through_obscurity) isn't worth anything.
halfdan  2010-09-24 09:06:16
Of course he will needs to md5 the password. What I means is that users may delete stuff that is in "My documents" by rarely in "Application data" (on windows).
Loïc Février  2010-09-24 09:09:15
I've updated my post. For example I have antivirus installed, it have a setup menu to protect unauthorized modification by user. If user want to disable the protection then he should enter the password. That's the scheme that I want to achieve
user  2010-09-24 09:20:32

related questions

How to show password-protected sensitive applications to prospective employers?
Keeping passwords safe
Making A Secure Login
Password Protect a directory using IIS 7 Digest Authentication
"Remember Me On This Computer" - How Should It Work?
So my Excel-VBA project password can easily be cracked... What are other options?
Password protection of SAS Code
Opening a password-protected website from servlet
Is there a way to crack the password on an Excel VBA Project?
Determining with C# Whether a SQL Backup File is Password Protected
Plain text password over HTTPS
Secure directory password protection without .htaccess
Password Protecting an Excel file in C#
How best to screen scrape a password protected site on behalf of a 3rd party?
Log SQL Server Password change
Cakephp Password Protection with htaccess and htpasswd - howto?
Preventing DB password from being accidentally checked into public SVN
Password storage in source control
How to not hardcode passwords?
Non-random salt for password hashes
HTTP authentication logout via PHP
Password protected PDF/Excel reports using SQL Reporting services
What is the best way to password protect folder/page using php without a db or username
How password protection of Excel VBA code works?
VBA password protection: how it works? is it secure? are there any alternatives?