0

I am trying to save the username and password of user at c# console application. Hence there will be just one username and password that must be saved (It is like pin code). I don't want to use a Database for this. Using .txt will be irrational because anyone can see and find txt file and enter program.

I tried to use Properties.Resources but because of Resources are read-only, there is no way of changing password at runtime if user wants to change its password.

     Properties.Resources.Admin_Mail = Reading;

It gives error because of the reason I mentioned above.

What should I use, I cannot find any suitable way for this problem on the internet.

Fildor
  • 14,510
  • 4
  • 35
  • 67
Menderes Ersöz
  • 17
  • 6
  • Can't you just use the OS login features? If you really want to store the login information, do not store the password, but a hash. See also here: https://stackoverflow.com/questions/16957492/c-sharp-securely-storing-a-password-locally – Klaus Gütter Feb 17 '22 at 16:04
  • Well, resources are read-only, you can try still using a txt file but encrypt the password before saving. – NazaRN Feb 17 '22 at 16:04
  • You might find [How to securely save username/password (local)?](https://stackoverflow.com/questions/12657792/how-to-securely-save-username-password-local) useful. – Andrew Morton Feb 17 '22 at 16:05
  • 1
    @NazaRN No, encryption is _not_ enough. Passwords shouldn't be kept in a reconstructable form. – Fildor Feb 17 '22 at 16:05
  • @Fildor What if the password has to be passed to a third party? – Andrew Morton Feb 17 '22 at 16:06
  • @AndrewMorton Then you have a problem. – Fildor Feb 17 '22 at 16:07
  • Use OWIN middleware to persist the values. – GH DevOps Feb 17 '22 at 16:26
  • So, the first time that someone runs your program they will be prompted to enter a username/password. After that, it's locked to one user/pw combination forever? – Flydog57 Feb 17 '22 at 16:55
  • Encryption is not an answer. Encryption requires a key. Where do you store the key. Hashing with a salt is typically the way to go. – Flydog57 Feb 17 '22 at 16:57
  • The link in @AndrewMorton's comment suggests DPAPI (the `ProtectedData` class in .NET). The problem with DPAPI is that the only useful scope in this case is `MemoryProtectionScope.SameLogon`. That means that any program running with the same user credentials can read the encrypted data. – Flydog57 Feb 17 '22 at 18:42

1 Answers1

0

I am not sure where you are at in your development journey.

You'll need system.io to read and write to the text file. I would give in a different extension then .txt. https://learn.microsoft.com/en-us/dotnet/api/system.io?view=net-6.0

Consider using a SecureString type in C# https://learn.microsoft.com/en-us/dotnet/api/system.security.securestring?view=net-6.0

Encrypt the data stored in the file. https://learn.microsoft.com/en-us/dotnet/standard/security/encrypting-data

Decrypt the users entry to ensure it matches the file. https://learn.microsoft.com/en-us/dotnet/standard/security/decrypting-data

There is a StackOverFlow link talking at the actually input. Password masking console application

Sorry for just linking to references instead of a straightforward code answer, but I not sure of your intent and level of security you wish to provide.

Matthew Werstler
  • 16
  • 5
  • Actually this is the best answer ı can hope for :) Thank you very much – Menderes Ersöz Feb 17 '22 at 16:25
  • If you encrypt the data, where do you store the password for the encryption process. I suspect the best solution is to put something with a lot of entropy (say a GUID) into a resource. Then, when you establish the one and only password, salt it with that GUID (or whatever it is) and hash it. Store the hash in a file in IsolatedStorage (which doesn't really hide the file, but does make it hard to find). When someone enters a password to be checked, salt it in the same way, hash it in the same way, and compare the hash to what you read from IsolatedStorage. – Flydog57 Feb 17 '22 at 16:52
  • Using something like dnSpy, one can decompile such a program, add a breakpoint, and see the decrypted password. Once someone has access to the program and data files, it is all over. – Frank Hileman Feb 17 '22 at 18:55