Password storage issue [C# / .NET] RRS feed

  • Question

  • Hello everybody,

    I encounter a very common issue that I'm sure many people do, but could not find how to solve it.
    Basically, I need to securely store a password and retrieve it later. My application ask the user's password once, then logs him/her in, and then do not ask password anymore in the future.

    My question is not about "how to encrypt data", I already know everything I need to know about encryption/decryption (there are tons and tons of articles everywhere on the web to learn about that) but really how and/or where to securely store critical private data ?

    Hereafter are the contraints for my needs:
    - I must reuse the password to login to subjacents services (that means hash cannot be used)
    - The system must be as minimalist and easy to deploy as possible (that means DB cannot be used)
    - The system is a .NET Windows application (that means ASP.NET security aspects cannot be used)

    For testing, the application write an encrypted test data to a file and then from other application, I tried to get that file decrypted.
    Until then, I tried to use asymetric keys (RSA) and stored the keys to a "Key Container" but I noticed the keys could be acquired if the container name is known, which can be easily found by disassembling the executable.
    I tried to use ProtectedData.Protect and Unprotect methods (DPAPI mapping) but same, any other application running on the same machine could decrypt the file.
    Same as for the methods File.Encrypt and File.Decrypt but even worst because they need the file to be previously written uncyphered on disk.
    Of course I could generate a random session key and encrypt the file with AES, but the problem remain, where to store the AES session key ?
    As for hard-coding a session key, the problem of easily getting the key by disassembling remain...

    What I need is the same secure way that applications such as MSN Messenger or Skype store the user's password.
    OK I can produce an encrypted file that cannot not be read by humans, but still can be easily "unlock" by any program. I cannot imagine that MSN Messenger password file can be so easily decrypted, such a security issue would be known if it were the case.

    I investigated "CardSpace" and "Strong Name" but seems unrelated to my needs.

    Sorry for that long post, and thanks a lot in advance for your help.
    Saturday, January 2, 2010 7:44 PM

All replies

  • Hi – I think my information can help you:

    I think you shall apply my customized solutions for security: I think you shall use the Windows® Registry to store the passwords securely to hash them is very smart, especially when applying the SHA256 hash-algorithm (I do not directly understand you in this case), anyway.

    Please do not use a regular Registry path for this, since they are much easier to trace in the Windows® Registry and re-modify.

    A more protected path is a CLSID path, even if the CLSID (Class Identifier), I believe you shall use that path for higher protection, and by implementing randomization on this you’ll get higher security.    


    Before the application exits, it will randomly generate some numbers the first shall be a length of 8, the second shall be, 4, third shall be 4, fourth shall be 4 and the last shall be 12.
    Each of them shall be put into an array of 5 memory boxes.

    Then, using a regular temporary string variable, you shall put them this way:
    string temp = string.Format(“{0}-{1}-{2}-{3}-{4}”, a[0], a[1], a[2], a[3], a[4]);

    If my solution doesn’t work well then apply the SecureString class which can be found under System.Security; namespace.

    Direct link: http://msdn.microsoft.com/en-us/library/system.security.securestring.aspx

    I hope this information was helpful…

    Have a nice day…

    Best regards,

    Sunday, January 3, 2010 7:20 PM
  • I think you're on the right track, but the thing you're missing is that you should supply a byte string in the entropy parameter. That data is known only to you and it must be supplied again to retrieve the data with the Unprotect method. Nobody else can get that secret data unless they know the entropy byte string. 
    Phil Wilson
    Sunday, January 3, 2010 7:32 PM
  • Thanks for your answers.

    Coder24.com, unfortunately your answer do not help me, so I guess my explanation was not clear enough. Let me explain you why I can't hash.
    Actually, my application will login to a Google application and to a SkyDrive in order to store data on remote storage. To login to these services, the application must provide the username and the password (in clear) of the account to use. If I hash the password, I can't get it back to clear anymore as long as the hash algorithm is irreversible.

    PhilWilson, I agree with your idea but that takes me back to the same point. The purpose to store password is to make the user not have to enter his/her password each time he/she uses the application, so if I use an entropy, the user will have to enter the entropy element each time he/she uses the application, which is finally just as same as asking him/her to enter password each time, or I have to store the entropy somewhere to retrieve it later, which takes me to the same question, where and how to store the entropy?

    Thanks for you help.
    Monday, January 4, 2010 3:20 AM
  • Use this then:

    Or store the passwords as I told you but un-hashed!

    Have a nice day...

    Best regards,
    Monday, January 4, 2010 8:21 AM
  • The idea behind entropy is that you store it separately, or embed it in your code. In your case you are storing a password associated with a user account name. You could perhaps hash that account name to produce a byte string for the entropy, so it would be the same every time you used it (protecty and unprotect).
    Phil Wilson
    Monday, January 4, 2010 6:42 PM
  • Hi Tanuki:

    How is the situation on your side?
    Is this thread solved or NOT?

    Please tell me...

    Have a nice day...

    Best regards,
    Monday, January 11, 2010 9:24 AM
  • hiiii

     this is the password in the encrypted form of skype account "aplajy"


    can any one tell me the link of code of how to decrypt this password??
    its very urgent.
    i promise that connnecting to me will be helpful 2 u..

    Thursday, February 4, 2010 8:42 AM