C# Secure way to store a Number?

Question

I have built my own lock screen for Windows 7. Thus, it uses a password to unlock itself. So I decided to store only the hash code of the password string (For example, I call the GetHashCode method of the string "Password123"). Now I have the task of storing the number. How would I do this in the most secure way? Or is using the hashcode of the password string even the best way of doing it? My goal is to keep someone from gaining access to this number and ultimately, keeping someone from discovering the password.

Here are some possible methods I have come up with so far:

Store the Password's hash code in an unencrypted plain text file along side the main program.
Store the Password's hash code in an encrypted text file along side the main program (This introduces the problem of storing and getting a suitable key for encryption)
Store the Password's hash code in a small compiled C# library.
Do as above, but encrypt the resulting assembly. Then, to load it, simply read all the bytes into memory, decrypt, then use Assembly.Load to load the raw byte array.

Now is there any better (more secure) ways of keeping someone from discovering the hash code that I am trying to store on the hard drive?

EDIT: As per the comments below, I am working on a patch to the program to use a hashing algorithm to get a hashcode of my password. Now the question is "How would I securely store an array of bytes on the hard drive? All the options above still apply.

Thanks for your help in advance.

You're aware that [String.GetHashCode()](https://msdn.microsoft.com/en-us/library/system.string.gethashcode.aspx) is not cryptographically strong and there will be collisions all over the place, right? Not to mention the hashing algorithm can and does change across platforms and *versions of the .NET framework*? Don't do that. It's a bad idea. — Frédéric Hamidi, Jan 04 '17 at 14:32
@wkl thanks, I thought I did that when I was writing it. Oops. — DD314, Jan 04 '17 at 14:37
http://stackoverflow.com/questions/442443/is-there-some-sort-of-secure-local-storage-on-windows — Daniel A. White, Jan 04 '17 at 14:41
Ok so instead I will use a HashAlgorithm from the System.Security.Cryptography namespace. — DD314, Jan 04 '17 at 14:44
There are other places you can store the password as well, such as the registry. — Abion47, Jan 04 '17 at 14:47
So I look into the System.Security.Cryptography namespace and it turns out that there are several Hashing algorithms to use. Which one would be the best for taking the hash of a string? — DD314, Jan 04 '17 at 14:48
@Abion47 bad idea. This app will be run in safe mode as well. So using the registry isn't a very good idea for me. And on top of that, it takes a lot code to access the registry from C# (even using the Microsoft.Win32.Registry classes). So I decided to stayaway from the registry. — DD314, Jan 04 '17 at 14:50
To add on to what Frédéric said, for the general case a call to `.GetHasCode()` does not need to return the same value for the same object across multiple runs of the same program (or in a single run across multiple AppDomains). It is only guaranteed to return the same value for the same object within a single run of the program. — Scott Chamberlain, Jan 04 '17 at 14:56
Ah, that's why my password won't work sometimes even when I know I typed it right. I am implementing a patch that will use the SHA512 hashing algorithm to hash my password instead of using the GetHashCode method. The tricky part now is storing the byte array, instead of a simple number. — DD314, Jan 04 '17 at 15:02
`Rfc2898DeriveBytes` or Bcrypt is a better choice for hashing PWs. Once it is hashed you dont have to worry so much about if they can find it. — Ňɏssa Pøngjǣrdenlarp, Jan 04 '17 at 15:17
I'm with Plutonix about using Rfc2898DeriveBytes. The SHA family algorithms are pretty fast, and when it comes to password hashing, you don't want it to be fast at all. Honestly, since you're using C#, I'll go with PBKDF2 instead of BCrypt, because C# already has an official implementation, while BCrypt is an external library that you need to add. Here you can read more about PBDKDF2 and Rfc2898DeriveBytes: https://www.owasp.org/index.php/Using_Rfc2898DeriveBytes_for_PBKDF2 — Esteban Cervantes, Jan 04 '17 at 17:18

score 0 · Answer 1 · answered Jun 07 '19 at 20:38

If I understand your requirement correctly, you want to secure your desktop. It shouldn't matter if someone gets to read the hash, as long as they have to do a LOT of work to figure out the password from which it came. So what you want is a decent cryptographic hashing algorithm like one of the later SHAs. See [https://en.wikipedia.org/wiki/One-way_function][1] and note that even you, knowing both the algorithm and all stored hashes, should not be able to follow a reverse process to get back to original passwords.

And of course all the normal guidelines for strong passwords still apply - minimum length, mix of alphanumeric, and non-alphanumerics etc.

You also do not want someone to be able to casually delete or fiddle with your hash because that would lock everyone including you out, so I would avoid the regular file system and suggest the registry under CURRENT_USER.

C# Secure way to store a Number?

1 Answers1