As long as the service used DataProtectionScope. CurrentUser and the service user is different from the logged on user, the password should be pretty safe.
This of course assumes that the users are running as limited users who cannot modify the service or run program as the service's user. Because you are using WinForms and. Net, your code is going to be visible in MSIL - even if obfuscated, and therefore your decryption code is visible.
Who are you trying to hide the password from? Is the user of the app not supposed to know the password? I think you are going to need to do some user validation, and I would be tempted to put keys to the decryption in a separate database and provide some other mechanism to get that out which should require authentication.
That way you can get the decryption code out of the winforms app. I would also suggest a separate service which runs to regularly change the encryption decryption keys and updates all passwords in the database. Better place would be the registry, since it would protect other users of the machine getting to it. Still have to deal with the certificate password being in your code. I just implemented something like this for storing a user supplied password. I converted the encrypted result to a base 64 encoded string, so that I could easily store it in my application's user settings.
From your question, it seems that your malicious user is actually using your application, so this will only provide obfuscation. Though no key would be revealed through the use of Reflector, the plain text would be visible in a debugger. Do not store the password as part of the code. Aside from the issues of decompilation and relying on security through obscurity, if you change the password you need to recompile and redistribution your application.
Store the password as a webservice or in a database that the application has access to. You're communicating with a service over the web, so you will be connected, after all. One of the most important thing is the permissions on the file. Even if the content is encrypted you need to make sure that only the processes that need access to the file can read it.
AES is good enough if you need to store locally, and talking about disasms, network sniffers etc is not particulary good contra-argument becuase the same thing can be done with any program sure, ASM is harder then CIL but its a minior point.
Such password protecting is good enough to prevent casual pick up, not to prevent decoding by proffesionals. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams?
Collectives on Stack Overflow. Learn more. Best practices for encrypting and decrypting passwords? NET Ask Question. Asked 12 years, 8 months ago. Active 8 years, 10 months ago. Viewed 34k times. NET 3. Improve this question. John Topley k 45 45 gold badges silver badges bronze badges. Eyvind Eyvind 5, 5 5 gold badges 39 39 silver badges 57 57 bronze badges. Should be retitled "Best practices for encrypting passwords", as decrypting passwords is decidedly NOT best practice.
No, it should not; that would be a different question entirely. Add a comment. Active Oldest Votes. Improve this answer. Matthew any standard authentication system for services would work great.
Robert: would you care to elaborate? What am I not getting here? This also allows you to block users if needed in future. Rather than returning the password to clients that then use it to connect directly to the third-party service, you might consider running an authenticated web service that proxies all client requests to the real service; your password to the third-party service is never sent to the client.
This is more expensive for you and adds a little overhead to the calls, but gives the best security. Depends on the value of securing the password. ToBase64String hashBytes ; You can calculate the salted hash of the password and store that within your file.
Young Bob 3 3 silver badges 9 9 bronze badges. Enyra Enyra As stated in the question, I must decrypt it because the service accepts only a password in unencrypted form. If you can not avoid it, I would use AES, but be aware that any encryption key can be read from the assembly, so it's not really save.
Hello, Is the SHA encryption good enough for program storing passwords in plain text file? I am looking for description methods for my password storing program, and I am not sure which should I use. It is difficult to say if this is enough since I don't know your application.
It depends only how critical is the data to protect with the pw and thru which channels you can access the pw. Basically the longer the key the more secure. In you case I assume that you just try to prevent normal users to read the plain password, on an environment where just a view persons have access to it otherwise sou would not store it within a password. Improve Article. Save Article. Like Article. Last Updated : 31 Jul, Recommended Articles.
Article Contributed By :. Easy Normal Medium Hard Expert. Writing code in comment? Please use ide. Load Comments. What's New. Most popular in PHP. Most visited in PHP Programs.
How to call PHP function on the click of a Button?
0コメント