I am using Visual C# built in feature Settings to save some of my program's options. I also want to store one password, but then it comes public... is it possible to encrypt the password before saving it using this settings method and then decrypt it back?
views:
67answers:
3
+2
A:
If you encrypt the password, you will still have to store a decryption key somewhere in the program, so it still amounts to security by obscurity.
However, it would keep the honest people honest.
The most common practice I have seen for this is a challenge/response system, where the user puts in a registration name, the program provides a challenge string, and you email them the corresponding response string (encrypted), which the user cuts and pastes into a registration dialog in the program. The program decrypts the response, compares it to the challenge, and off you go.
Of course, since you still have to provide the decryption password in the program itself, it can still be defeated by a determined hacker.
Robert Harvey
2010-10-14 20:12:05
+4
A:
A simple way to do it is to encrypt the password with itself. You'll never be able to unencrypt it, but you will be able to compare a user-entered password to it.
Andrew Lewis
2010-10-14 20:13:33
+1 I like that idea.
Robert Harvey
2010-10-14 20:16:45
Can you give me a hint how can I "encrypt the password with itself"... What do you mean by that? Thank you.
Badr Hari
2010-10-14 20:57:43
I suspect the OP wants to store the password so that the user doesn't need to type it again... If it's the case, this solution isn't very helpful ;)
Thomas Levesque
2010-10-14 23:04:24
Yes, exactly that's what I wanted to do, Thomas...
Badr Hari
2010-10-14 23:11:09
@Badr: As a matter of best practice, it is more secure not to store a password at all. If you issue a temporary password to people who forget their password, you don't have to worry about retrieving it. In any case, what Andrew means is to *use the password itself as the encryption key.*
Robert Harvey
2010-10-15 04:42:29
Yes, Robert is exactly right. Sorry I don't have any sample code right now. Any sample .NET encryption code will take a key, and a value to encrypt. Use the password as both the key and value, and store the result in your database. Next time the user types in a password, encrypt it the same way and compare it to what is stored in the database. That way you're never storing it in plain text, and you can't easily decrypt it.
Andrew Lewis
2010-10-15 15:12:48
+2
A:
For simple encryption needs, I've used the DPAPI via the ProtectedData class. To make the resulting encrypted value storable in a text file or registry, I encode the resulting byte array.
Here is the class I wrote to wrap this up:
namespace SomeNamespace
{
using System;
using System.Security.Cryptography;
using System.Text;
/// <summary>
/// used for encryption and decryption
/// </summary>
public static class DataProtector
{
private const string EntropyValue = "secret";
/// <summary>
/// Encrypts a string using the DPAPI.
/// </summary>
/// <param name="stringToEncrypt">The string to encrypt.</param>
/// <returns>The encrypted data.</returns>
public static string EncryptData(string stringToEncrypt)
{
byte[] encryptedData = ProtectedData.Protect(Encoding.Unicode.GetBytes(stringToEncrypt), Encoding.Unicode.GetBytes(EntropyValue), DataProtectionScope.LocalMachine);
return Convert.ToBase64String(encryptedData);
}
/// <summary>
/// Decrypts a string using the DPAPI.
/// </summary>
/// <param name="stringToDecrypt">The string to decrypt.</param>
/// <returns>The decrypted data.</returns>
public static string DecryptData(string stringToDecrypt)
{
byte[] decryptedData = ProtectedData.Unprotect(Convert.FromBase64String(stringToDecrypt), Encoding.Unicode.GetBytes(EntropyValue), DataProtectionScope.LocalMachine);
return Encoding.Unicode.GetString(decryptedData);
}
}
}
Russell McClure
2010-10-15 00:38:02
Yes, thanks to your code I managed to do it on my own... I love you!!!
Badr Hari
2010-10-15 04:49:43