0

I have a question I am hoping to be able to get some assistance with. I know this question have been asked before and I have gone through a bunch of posts over the last few days. I have a form that allows users to enter username and password and stores those in a registry key, that key is then referenced in a different app. I added my code for the app that sets the keys is someone able to explain to me the best way to provide the password some secrecy.

private void button5_Click(object sender, EventArgs e)
    {
        Regex myRegularExpression = new Regex("@");
        u_p.BackColor = Color.White;
        u_n.BackColor = Color.White;
        if (myRegularExpression.IsMatch(u_n.Text))
        {
            if(!String.IsNullOrEmpty(u_p.Text))
            {
                RegistryKey key = Registry.CurrentUser.OpenSubKey("Software", true);
                key.CreateSubKey("####");
                key = key.OpenSubKey("####", true);
                key.CreateSubKey("Backup");
                key = key.OpenSubKey("Backup", true);
                key.SetValue("u_name", u_n.Text);
                key.SetValue("u_pass", u_p.Text);
                MessageBox.Show("Username and Pass Updated Successfully");
            }
            else
            {
                MessageBox.Show("no password entered");
                u_p.BackColor = Color.OrangeRed;
            }
        }
        else
        {
            MessageBox.Show("not a proper username entered");
            u_n.BackColor = Color.OrangeRed;
        }
    }
ShaneTheTech
  • 147
  • 2
  • 2
  • 10
  • Passwords are generally hashed (with a salt), not encrypted. Are you asking how generate the hash from the plain-text password? From your code it looks like you know how to write the value to the registry. – Tim Apr 21 '13 at 02:43
  • well I don't want to keep a password in plain text in the registry. So I guess the question is what would be the best way to hash the password so it's not in plain text – ShaneTheTech Apr 21 '13 at 02:54
  • There's lots of examples - if you do a search on C# Hash and salt password examples or something like that you'll get plenty of hits. Here's one from SO: http://stackoverflow.com/q/2138429/745969. My suggestion would be to look at some examples, try them out and if you get stuck add where your stuck at to your question :) – Tim Apr 21 '13 at 03:10
  • How about saving both MD5 or SHA1 hash and corresponding salt. Check this answer to see how to generate hash with salt http://stackoverflow.com/a/4329927/863980 – vulcan raven Apr 21 '13 at 03:10
  • 1
    Secrecy *from who*? Don't design a security system without stating the threat. – Eric Lippert Apr 21 '13 at 03:15
  • A hash with salt will slow down an attack. Adding the username into the hashed data makes it that much harder. A dictionary attack would require knowing, or guessing, both the salt and username. A well known username, e.g. "administrator", _might_ be worth the trouble. – HABO Apr 21 '13 at 03:21
  • @ Eric -- yeah I guess I should have said from who. the purpose for the backup is to backup valuable store information for our main product that tracks sales and stuff. Technically I guess anyone could attempt to view the key in question however the only ones that have access to the registry is myself and a couple others. I just wanted a general encryption for the "honest" techs so it's not right in thier face if you know what I mean. – ShaneTheTech Apr 21 '13 at 03:36
  • 2
    Encryption/Dectyption and hashing are two very different things. Something encrypted should be able to be decrypted again. Hashing is designed to *not* make it possible to "unhash". So be careful not to mix those two. If your other app needs to *retrieve* the original password (very bad idea!) you encrypt it in the first and decrypt it in the second. If the other app needs to *verify* the password (so it has it's own login), the first app needs to save it hashed (and salted) and the second one verifies by doing the same with its newly inputed password and see if it ends up with the same. – Corak Apr 21 '13 at 06:36
  • If all you want is to obfuscate it from casual viewers then encryption is unnecessary. Just use ROT13 – Eric Lippert Apr 21 '13 at 14:29

0 Answers0