Reputation: 773
Best practice to protect windows form with a password /journal app with password protection)?
I'm creating a simple journal app. I want the user be able to set a custom start-up password.
But what is the best practice? Where do I securely store the password? And I guess it is best to store a hash of the password - how to do that?
Storing the password (or hash) in a easily readable XML file can't be the best option? One can then just open the XML file and delete the hash string, then when on app load there will be no password, right?
Best regards
Upvotes: 3
Views: 1859
Answers (2)
Reputation: 16959
Let's approach this problem with desire to read your journal. Your ansatz about hashes isn't a bad one, but suppose you do define a startup password, and we store the hash to the password in some XML file. What's stopping me from disassembling your app (which is especially easy to do if we are considering C#, or any JIT-ed language for that matter) and just changing the password validation subroutine to always return true?
What you need is encryption of the actual journal / pages. See the answer to this SO question for a complete rutine that mangles your journal page so that it's safe to save in plaintext, and very hard to retrieve without the password.
You can now also optionally store the hash, and verify its validity for the user; since the actual password will still be needed to open each journal page.
EDIT
This SO answer is even better. Both versions utilize the RijndaelManaged class which is part of .NET framework for encryption and decryption.
Upvotes: 2
Reputation: 2241
Yes, hashing passwords is the best option. It really doesn't matter (in most cases) where you store the password as long as you give the user some way to retrieve it. For example, at startup, the user creates their journal, so a password for the user that they enter is created/hashed. You will also need to ask other information as well such mother's maiden name, first pet, etc. (something the user will know).
Even if someone deletes the hash, the journal is locked and you should not simply ask the user for a new one. User cannot get in unless they verify other information.
You also can use keys that the user can store safely somewhere else (like a file on a USB drive). You can even go further and encrypt the database itself.
Lots of ways to do this, but none full-proof.
Upvotes: 0
Related Questions
- How to store passwords in Winforms application?
- Securely store a password in the application in C#
- How to password protect a form but keep the information visible
- how to password protect a textbox, to secure input in winform c#
- Protect Winform Application/Sql Database From Copying
- Ways around putting a password in code
- C# How to store password in application
- Protect Windows Applications against password recovery tools
- What's the best way to store a password to acces/change it on runtime on winforms application?
- Best way to develop a secured application. With .net