0

I'm developing a desktop application in C#. In my application user should login before using my application. Now I want to save my username and password securely.

I know about hashing my username\password and adding salt to my password and saving hashed data in a file; but in this case user can replace this file with previous one. And I know we can't prevent this completely but I want make it hard.

One solution is storing hash of file in registry to prevent changing this file; but I think there should be a better solution.

Edit: I don't use database and I'm using windows 7.

Ali.Sepehri
  • 139
  • 1
  • 1
  • 6
  • 1
    Why don't you use the windows vault if it's local? Perhaps the following can be useful. http://msdn.microsoft.com/en-us/library/windows/apps/xaml/hh465069.aspx – Silvermind Nov 29 '14 at 11:21
  • @Silvermind: Brian in [his question] said "...this namespace is Windows 8 specific." (http://stackoverflow.com/questions/12538367/using-credenumerate-to-pull-webcredentials) – Ali.Sepehri Nov 29 '14 at 12:12
  • Perhaps [this](http://www.nuget.org/packages/CredentialManagement/) can be of help then. – Silvermind Nov 29 '14 at 12:52
  • Why are you doing this? The question sounds like you are implementing your own password protection in the program. I.e. the program will challenge the person running it, who then has to enter their username and password. But Windows already does this! They login to Windows and your program can see and use that information, i.e. which user is running the program. Please explain why the Windows user login doesn't already address your need. – Peter Duniho Nov 29 '14 at 17:11
  • @PeterDuniho: I have different level of security in my application. In this case a user with low level of access can bypass this security level. – Ali.Sepehri Nov 30 '14 at 06:20
  • @Ali.Sepehri: but why is this security being implemented in a way that exposes it to the user? It seems like if you managed access by the actual Windows user account, you can let Windows deal with authentication. And if you want the user authentication different from Windows, you should implement it server-side where the user can't get at it. Anyway, the lack of responses should be a hint to you that you're probably heading in the wrong direction here. Trying to secure data from the user in whose hands the data is (figuratively) held, that's just not going to work. – Peter Duniho Nov 30 '14 at 08:28
  • @Silvermind: It works, I'll accept your answer if you write it as an answer here. Thank you :) – Ali.Sepehri Nov 30 '14 at 10:47
  • Read [that link](http://msdn.microsoft.com/en-us/library/windows/apps/xaml/hh465069.aspx) carefully. Windows Vault will be efficient if it will be used in server side like a database store that you haven't in this case. if you use it locally it the same encrypted local file with roaming user access plus you loosing your app's portability too in favour of using built-in API. and according to that link vault stores in a file too even windows password an registry in client can be accessible and with enough time replaceable too. – M.G.E Dec 16 '14 at 04:44
  • I think windows credentials for running application is enough in client and this is not practical from security point of view. – M.G.E Dec 16 '14 at 04:52

1 Answers1

1

You can follow this tutorial: http://msdn.microsoft.com/en-us/library/aa302402.aspx

It uses CryptProtectDataAPI, that provides the following:

The CryptProtectData function performs encryption on the data in a DATA_BLOB structure. Typically, only a user with the same logon credential as the user who encrypted the data can decrypt the data. In addition, the encryption and decryption usually must be done on the same computer.

Check more info here: http://msdn.microsoft.com/en-us/library/windows/desktop/aa380261(v=vs.85).aspx

rodrigogq
  • 1,943
  • 1
  • 16
  • 25