nv3prasad
asked on
User ID and Password for an Application.....
I have an Application which will allow only certain operations based on the user, so I need to startup the application with a User Login ID and a Password screen.
I created a System Modal Dialog to get the Login and Password but I would like to know how and where should I store that Information,
May be
1. Registry or
2. File
and I can use the CAPI to store the password in a cryptic way.
I also have a Administartor Login and Password, but I would like to store it so that it does not get hacked or deleted ( file or registy), can anyone give me a solution for this?
I created a System Modal Dialog to get the Login and Password but I would like to know how and where should I store that Information,
May be
1. Registry or
2. File
and I can use the CAPI to store the password in a cryptic way.
I also have a Administartor Login and Password, but I would like to store it so that it does not get hacked or deleted ( file or registy), can anyone give me a solution for this?
Hi nv3prasad
I think registry is better way of storing it if U store it in a file then there is always a chances of deleting the file, U are on the right way encript it and store it in the registry
Rergards
I think registry is better way of storing it if U store it in a file then there is always a chances of deleting the file, U are on the right way encript it and store it in the registry
Rergards
Hi,
I agree with inpras. A registry is always better than a configuration file for storing passwords. You can generate a cryptic key under the HKEY_LOCAL_MACHINE. Say your app name is "SmartMan" create a key "XrfwyRfs". (A +5 to ascii, ver ver simple but wards of non-smart users) Under this create one more key string value to store your cryptic password.
Ofcourse CAPI is a better way of crypting the password.
These are the suggestion.
Hope you know the apis to store and retreive the data from the registry.
Feel free to ask
Abdij
Mail id : abdij_b@hotmail.com
I agree with inpras. A registry is always better than a configuration file for storing passwords. You can generate a cryptic key under the HKEY_LOCAL_MACHINE. Say your app name is "SmartMan" create a key "XrfwyRfs". (A +5 to ascii, ver ver simple but wards of non-smart users) Under this create one more key string value to store your cryptic password.
Ofcourse CAPI is a better way of crypting the password.
These are the suggestion.
Hope you know the apis to store and retreive the data from the registry.
Feel free to ask
Abdij
Mail id : abdij_b@hotmail.com
Never, ever hardcode any usernames or passwords in a program. Encrypted or not. Ever. It will always come back to bite you if you do.
ASKER
What if some smart guys decide to search through the registy and delete the entry for the passwords?
Also where can I store teh Administrator Password?
Also where can I store teh Administrator Password?
Hi,
I agree your concern, but then use a registry path that no Smart guy will think is associated with your program. For example if you keep an Encrypted entry in the HKEY_CLASSES_ROOT no one will know. But you should have some installation and uninstallation program to store and removes these entries as and when the user Installs or UnInstalls your Application. The HKEY_CLASSES_ROOT is really complex tree. You can also create some harmless looking key like "MSVMI" that is not generally tampered with. (MS things are so delicate you touch them and you have to Re-Install them !!!)
But as already told, donot use Hardcoding or Configuration files. Because these files can be opened and intelligent users can make sense out of the settings.
Of course you cannot stop the most intelligent ones. They generally get throush even the defenses of Pentagon. Remember ???
Abdij
I agree your concern, but then use a registry path that no Smart guy will think is associated with your program. For example if you keep an Encrypted entry in the HKEY_CLASSES_ROOT no one will know. But you should have some installation and uninstallation program to store and removes these entries as and when the user Installs or UnInstalls your Application. The HKEY_CLASSES_ROOT is really complex tree. You can also create some harmless looking key like "MSVMI" that is not generally tampered with. (MS things are so delicate you touch them and you have to Re-Install them !!!)
But as already told, donot use Hardcoding or Configuration files. Because these files can be opened and intelligent users can make sense out of the settings.
Of course you cannot stop the most intelligent ones. They generally get throush even the defenses of Pentagon. Remember ???
Abdij
How about using the Microsoft® Cryptography application programming interface? The latest MSDN CD has it under the title "The Cryptography API, or How to Keep a Secret"
MSDN reference:
mk:@MSITStore:C:\Program%2
Good Luck,
Steve
MSDN reference:
mk:@MSITStore:C:\Program%2
Good Luck,
Steve
Hi Steve,
I think right in his question nv3prasad has mentioned
>>and I can use the CAPI to store the password in a cryptic way
and CAPI is Microsoft® Cryptography application programming interface.
He is aware of the fact.
Even i have suggested the same thing
>> Ofcourse CAPI is a better way of crypting the password.
So whats your idea???
I think right in his question nv3prasad has mentioned
>>and I can use the CAPI to store the password in a cryptic way
and CAPI is Microsoft® Cryptography application programming interface.
He is aware of the fact.
Even i have suggested the same thing
>> Ofcourse CAPI is a better way of crypting the password.
So whats your idea???
abdij,
Is he aware of it? I didn't even notice your comment about CAPI.
Is he aware of it? I didn't even notice your comment about CAPI.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
hariks >>
But any worthwhile user knows how to change file attributes. So where is the point. More over the file will have to be stored in the Application directory or system directory, If stored in the applicatio directory then it can be opened. Normal users (including intellegent ones) normally donot tamper with the registry. Especially if your key is not encrypted there is little chance of finding, since the registry will not be deleted. Storing the file in the system dir is OK, but again the names have to crypted et. all.
And why in the world do you think yours IS the answer. Why not a comment like the rest of us (FOOLs) and let nv3prasad choose the answer ??????????????????????????
Any way All the best and Bye!
Abdij
hariks >>
But any worthwhile user knows how to change file attributes. So where is the point. More over the file will have to be stored in the Application directory or system directory, If stored in the applicatio directory then it can be opened. Normal users (including intellegent ones) normally donot tamper with the registry. Especially if your key is not encrypted there is little chance of finding, since the registry will not be deleted. Storing the file in the system dir is OK, but again the names have to crypted et. all.
And why in the world do you think yours IS the answer. Why not a comment like the rest of us (FOOLs) and let nv3prasad choose the answer ??????????????????????????
Any way All the best and Bye!
Abdij
ASKER
Hi,
I appreciate all of you guys for all the suggestions and I agree more with Abdij's comments and hariks, I do not deny your comment but I would not take that as the solution because it does not provide any better security relative to the suggestions made earlier but there is increase complexity.
I would like this topic to go on for a little while more before I decide to give the points, so I would apprecite more discussions.
I have stared to try Abdij's way, so if anyone has anything to add to his comment or else if you have a better way
then go ahead and add a comment,
I appreciate all of you guys for all the suggestions and I agree more with Abdij's comments and hariks, I do not deny your comment but I would not take that as the solution because it does not provide any better security relative to the suggestions made earlier but there is increase complexity.
I would like this topic to go on for a little while more before I decide to give the points, so I would apprecite more discussions.
I have stared to try Abdij's way, so if anyone has anything to add to his comment or else if you have a better way
then go ahead and add a comment,
ASKER
Hi,
I appreciate all of you guys for all the suggestions and I agree more with Abdij's comments and hariks, I do not deny your comment but I would not take that as the solution because it does not provide any better security relative to the suggestions made earlier but there is increase complexity.
I would like this topic to go on for a little while more before I decide to give the points, so I would apprecite more discussions.
I have stared to try Abdij's way, so if anyone has anything to add to his comment or else if you have a better way
then go ahead and add a comment,
I appreciate all of you guys for all the suggestions and I agree more with Abdij's comments and hariks, I do not deny your comment but I would not take that as the solution because it does not provide any better security relative to the suggestions made earlier but there is increase complexity.
I would like this topic to go on for a little while more before I decide to give the points, so I would apprecite more discussions.
I have stared to try Abdij's way, so if anyone has anything to add to his comment or else if you have a better way
then go ahead and add a comment,
ASKER
Hi,
I appreciate all of you guys for all the suggestions and I agree more with Abdij's comments and hariks, I do not deny your comment but I would not take that as the solution because it does not provide any better security relative to the suggestions made earlier but there is increase complexity.
I would like this topic to go on for a little while more before I decide to give the points, so I would apprecite more discussions.
I have stared to try Abdij's way, so if anyone has anything to add to his comment or else if you have a better way
then go ahead and add a comment,
I appreciate all of you guys for all the suggestions and I agree more with Abdij's comments and hariks, I do not deny your comment but I would not take that as the solution because it does not provide any better security relative to the suggestions made earlier but there is increase complexity.
I would like this topic to go on for a little while more before I decide to give the points, so I would apprecite more discussions.
I have stared to try Abdij's way, so if anyone has anything to add to his comment or else if you have a better way
then go ahead and add a comment,
ASKER
I am sorry guys,
I made a mistake, instead of rejecting the answer I have accepted it. What should I do?
I made a mistake, instead of rejecting the answer I have accepted it. What should I do?
ASKER
I had asked EE to get this question back to discussion and so I posted a question them,
Home : Customer Service : Experts Exchange : Q.10252857
I feel bad about that just by one click I had made a big blunder.
But never mind if they are not able to do anyting I will post the same question for discussion.
Thank you
Home : Customer Service : Experts Exchange : Q.10252857
I feel bad about that just by one click I had made a big blunder.
But never mind if they are not able to do anyting I will post the same question for discussion.
Thank you
ASKER
Hi Guys,
EE could not take back the accpted answer but has asked me to repost the same question ( ofcourse they refunded me the points) and I have the same number of points for your guys to continue on this discussion.
I am sorry again.
Thank you.
New Question:
Home : Computers : Programming : Windows : MFC : Q.10253006
EE could not take back the accpted answer but has asked me to repost the same question ( ofcourse they refunded me the points) and I have the same number of points for your guys to continue on this discussion.
I am sorry again.
Thank you.
New Question:
Home : Computers : Programming : Windows : MFC : Q.10253006
R U allowing user to change the password?. If not u can hardcode it or like that. But If u r allowing to change, then u have to compare, For that the best way I think is to store in a configuration file of Urs. This password can be stored along with other information in a binary or cryptic format. To that U have to use serialisation (the best way).
Try it out.
VinExpert