User ID and Password for an Application.....

I have an Application which will allow only certain operations based on the user, so I need to startup the application with a User Login ID and a Password screen.

I created a System Modal Dialog to get the Login and Password but I would like to know how and where should I store that Information,

May be
 
1. Registry or
2. File

and I can use the CAPI to store the password in a cryptic way.

I also have a Administartor Login and Password, but I would like to store it so that it does not get hacked or deleted ( file or registy), can anyone give me a solution for this?
LVL 1
nv3prasadAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vinayak KumbarSr Program ManagerCommented:
Hi,

R U allowing user to change the password?. If not u can hardcode it or like that. But If u r allowing to change, then u have to compare, For that the best way I think is to store in a configuration file of Urs. This password can be stored along with other information in a binary or cryptic format. To that U have to use serialisation (the best way).

Try it out.
VinExpert
0
inprasCommented:
Hi nv3prasad
I think registry is better way of storing it if U store it in a file then there is always a chances of deleting the file, U are on the right way encript it and store it in the registry
Rergards
0
abdijCommented:
Hi,

  I agree with inpras. A registry is always better than a configuration file for storing passwords. You can generate a cryptic key under the HKEY_LOCAL_MACHINE. Say your app name is "SmartMan" create a key "XrfwyRfs". (A +5 to ascii, ver ver simple but wards of non-smart users) Under this create one more key string value to store your cryptic password.
Ofcourse CAPI is a better way of crypting the password.

These are the suggestion.
Hope you know the apis to store and retreive the data from the registry.
Feel free to ask
Abdij
Mail id : abdij_b@hotmail.com
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Ernest022699Commented:
Never, ever hardcode any usernames or passwords in a program.  Encrypted or not.  Ever.  It will always come back to bite you if you do.
0
nv3prasadAuthor Commented:
What if some smart guys decide to search through the registy and delete the entry for the passwords?

Also where can I store teh Administrator Password?
0
abdijCommented:
Hi,
  I agree your concern, but then use a registry path that no Smart guy will think is associated with your program. For example if you keep an Encrypted entry in the HKEY_CLASSES_ROOT no one will know. But you should have some installation and uninstallation program to store and removes these entries as and when the user Installs or UnInstalls your Application. The HKEY_CLASSES_ROOT is really complex tree. You can also create some harmless looking key like "MSVMI" that is not generally tampered with. (MS things are so delicate you touch them and you have to Re-Install them !!!)

But as already told, donot use Hardcoding or Configuration files. Because these files can be opened and intelligent users can make sense out of the settings.

Of course you cannot stop the most intelligent ones. They generally get throush even the defenses of Pentagon. Remember ???

Abdij
0
SteveGTRCommented:
How about using the Microsoft® Cryptography application programming interface? The latest MSDN CD has it under the title "The Cryptography API, or How to Keep a Secret"

MSDN reference:

mk:@MSITStore:C:\Program%20Files\Microsoft%20Visual%20Studio\MSDN\99OCT\1033\techart.chm::/html/msdn_cryptapi.htm

Good Luck,
Steve
0
abdijCommented:
Hi Steve,

I think right in his question nv3prasad has mentioned

>>and I can use the CAPI to store the password in a cryptic way
and CAPI is Microsoft® Cryptography application programming interface.

He is aware of the fact.

Even i have suggested the same thing
>> Ofcourse CAPI is a better way of crypting the password.

So whats your idea???
0
SteveGTRCommented:
abdij,

Is he aware of it? I didn't even notice your comment about CAPI.
0
hariksCommented:
Hi Prasad,
 Instead of storing your passwords
 in a registry, storing the passwords
 in a file is a better way, which I
 suppose.

 'coz, you can restrict the access of
  reading or deleting the file, in other
  way, it is not possible for you to do
  the same with Registry.

  As far as the security, u can use
  both registry and file to confuse the
  hackers. The underlying mechanism
  should be acting the way like
  maintaining the crypt key in
  registry and the Registry Key should
  be maintained in the file
  like

  Registry Key(has CryptKey)
       
  Password File has
   1. User Name and Password Index
   2. Password Index has
      a. Registry Key(for each user) & 
      b. Password(crypted)

  (Note: u should not store entire
   registry key. Just it should be a
   hint(or Generated Registry Key is a
   better way),where u can find the
   crypt key.)

  So,If u want to change the password,
  1. Get the Password Index through
     User Name.
  2. Get the Registry Key from Password
     Index
  3. Retrieve the Crypt Key from the
     Registry
  4. De-Crypt the Password(from
     Password Index) through Crypt Key

  While shutdown your application,
  ur app should Re-Index the File and
  by the way, change the appropriate
  registry key. Even otherwise(in case
  of crash), its not harm and u can use
  the existing ones.

bye
hariks
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
abdijCommented:
Hi,

hariks >>
 But any worthwhile user knows how to change file attributes. So where is the point. More over the file will have to be stored in the Application directory or system directory, If stored in the applicatio directory then it can be opened. Normal users (including intellegent ones) normally donot tamper with the registry. Especially if your key is not encrypted there is little chance of finding, since the registry will not be deleted. Storing the file in the system dir is OK, but again the names have to crypted et. all.

And why in the world do you think yours IS the answer. Why not a comment like the rest of us (FOOLs) and let nv3prasad choose the answer ???????????????????????????????

Any way All the best and Bye!
Abdij
0
nv3prasadAuthor Commented:
Hi,

I appreciate all of you guys for all the suggestions and I agree more with  Abdij's comments and hariks, I do not deny your comment but I would not take that as the solution because it does not provide any better security relative to the suggestions made earlier but there is increase complexity.

I would like this topic to go on for a little while more before I decide to give the points, so I would apprecite more discussions.

I have stared to try Abdij's way, so if anyone has anything to add to his comment or else if you have a better way
then go ahead and add a comment,

0
nv3prasadAuthor Commented:
Hi,

I appreciate all of you guys for all the suggestions and I agree more with  Abdij's comments and hariks, I do not deny your comment but I would not take that as the solution because it does not provide any better security relative to the suggestions made earlier but there is increase complexity.

I would like this topic to go on for a little while more before I decide to give the points, so I would apprecite more discussions.

I have stared to try Abdij's way, so if anyone has anything to add to his comment or else if you have a better way
then go ahead and add a comment,

0
nv3prasadAuthor Commented:
Hi,

I appreciate all of you guys for all the suggestions and I agree more with  Abdij's comments and hariks, I do not deny your comment but I would not take that as the solution because it does not provide any better security relative to the suggestions made earlier but there is increase complexity.

I would like this topic to go on for a little while more before I decide to give the points, so I would apprecite more discussions.

I have stared to try Abdij's way, so if anyone has anything to add to his comment or else if you have a better way
then go ahead and add a comment,

0
nv3prasadAuthor Commented:
I am sorry guys,

I made a mistake, instead of rejecting the answer I have accepted it. What should I do?
0
nv3prasadAuthor Commented:
I had asked EE to get this question back to discussion and so I posted a question them,

Home : Customer Service : Experts Exchange : Q.10252857

I feel bad about that just by one click I had made a big blunder.

But never mind if they are not able to do anyting I will post the same question for discussion.

Thank you
0
nv3prasadAuthor Commented:
Hi Guys,

EE could not take back the accpted answer but has asked me to repost the same question ( ofcourse they refunded me the points) and I have the same number of points for your guys to continue on this discussion.

I am sorry again.

Thank you.

New Question:
 Home : Computers : Programming : Windows : MFC : Q.10253006
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
System Programming

From novice to tech pro — start learning today.