0

Is there a way to store passwords securely in C# without the use of a database? I want the application to not have to rely on a database, but I do not want to store the password in plain text. For example, I currently do something like:

public static string username = "george";
public static string password = "password";

I'd like the easiest and securest way to store it otherwise. The application does not need a database for any other purpose, so I'm simply trying to avoid introducing a database for the purpose of storing only a single piece of information.

gnychis
  • 7,289
  • 18
  • 75
  • 113
  • You can store the encrypted name/password in the registry. – ron tornambe Apr 05 '15 at 18:56
  • possible duplicate of [Securing a password in source code?](http://stackoverflow.com/questions/4155187/securing-a-password-in-source-code) – Don Scott Apr 05 '15 at 18:57
  • 2
    Do you need to store that password itself or having a way to validate the user password would be good enough? The later case is usually simpler to implement and more safe – Amnon Shochot Apr 05 '15 at 18:58
  • 1
    possible duplicate of [Encrypting appSettings in web.config](http://stackoverflow.com/questions/54200/encrypting-appsettings-in-web-config) – Andy Apr 05 '15 at 19:01
  • Dup of http://stackoverflow.com/questions/54200/encrypting-appsettings-in-web-config – Andy Apr 05 '15 at 19:01
  • Encrypt passwords using https://msdn.microsoft.com/en-us/library/system.security.cryptography.protecteddata%28v=vs.110%29.aspx and store the result somewhere (e.g. registry) – ProgrammingLlama Apr 05 '15 at 19:10
  • To store securely, you either encrypt the password (using another password, that's never saved) or you hash the password (thus you can't retrieve it, but you can compare it). Anything else is effectively plaintext. – Theodoros Chatzigiannakis Apr 05 '15 at 19:37

1 Answers1

1

See SecureString, which gives you access to a variety of string manipulation while encrypting the data in memory to prevent local memory attacks.

If you're interested in the persisting of passwords, it's common to hash and then save the password, and then locally perform the same hash when a login is attempted, comparing the hashed data instead of the raw text. This way, An incorrect password is rejected, but the correct password will hash to the stored value.

As for storing the data, consider storing it as a setting.

Note that cryptography and "how to store passwords safely" is a huge subject and something you should research.

timlyo
  • 2,086
  • 1
  • 23
  • 35
David
  • 10,458
  • 1
  • 28
  • 40