Anyone wanna hold my hand? :)

I'm looking to dabble with some md5 hashing to store encrypted passwords in the registry.
I can only spell md5 at this point....and I'm super-new at vb.net (as some of you have discovered...over and over again...).

But - that said - I'm here to learn...if someone is willing to teach me!

I did a search and came up with this as one of the results -> http://www.obviex.com/samples/Code.aspx?Source=HashVB&Title=Hashing%20Data&Lang=VB.NET

Granted - I don't know if it's the 'best' for a beginner like myself, or if I'm trying to build a house here with just a saw and a few nails...

So what I'm looking for is - laymen term description of either the posted link, or a better one.
Preferrably no more links - I'm going through these others now and perhaps may understand a bit more.   But if you've had experience in doing what I'm trying to and wouldn't mind sharing some nuggest of wisdom....well, I'd be much obliged.  Oh, and I'd offer up a lot of points too! :^)
LVL 67
sirbountyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bchoorCommented:
my 2 cents on this

First, when dealing with encryption - 2 things
1. which algorithm you want to use (you chose md5) in this case
2. how you want to call it (with the link you provided you can just add the class "SimpleHash" to your application and call the functions)

To Encrypt your password
Dim EncryptedPassword As String = SimpleHash.ComputeHash(password, "MD5", Nothing)
The Functions in SimpleHash as Shared (or Static) so you don't have to instantiate the SimpleHash object

Second, with regards to the registry - few things you need to consider
1. Where you will place it in the Registry? In the Local Machine or Current User - the reason is because of the privileges the logged user will have. A user will not have access to modify any registry keys in Local Machine - only admin priviledged account has access to modify those keys.
2. How do you plan on creating the keys (e.g Password1, Password2, Password3,... or Passwords\1, Passwords\2, Passwords\3)?
3. Also, do the passwords need to be bound to a username or something?

My suggestion would be to create registry keys in the Current User. Have a folder called Passwords within your registry entry and have 1,2,3 for the passwords

HKCU\Software\MyApp\Passwords\
1 (DWORD) = HashValue
2 (DWORD) = HashValue
3 (DWORD) = HashValue
...

or if you need the username associated with the password
HKCU\Software\MyApp\Logins\[UserName]\
Password = HashValue

Using example 2, to compare the password for user - "jdoe"
Registry would be
HKCU\Software\MyApp\Logins\jdoe\
Password = HashValue

Code would be:
To Create the subKey
==============
Dim regKey As RegistryKey
regKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\MyApp\Logins")
regKey.CreateSubKey("jdoe")
regKey.SetValue("Password", SimpleHash.ComputeHash(password, "MD5", Nothing))
regKey.Close()

To read the Password
==============
Dim regKey as RegistryKey
Dim passwordHash As String
regKey = Registry.CurrentUser.OpenSubKey("Software\MyApp\Logins\" & "jdoe")
passwordHash = regKey.GetValue("Password")
regKey.Close()

To delete the subkey
=============
Dim regKey As RegistryKey
regKey = Registry.CurrentUser.OpenSubKey("Software\MyApp\Logins")
regKey.DeleteSubKey("jdoe", true)
regKey.Close()


To compare the entered password, just retrieve the password hash, and compare that to the calculated hash of the password that is entered.

Hope this makes some sense.
~BC
sirbountyAuthor Commented:
Thanx - I actually found (and am currently testing) this solution http://www.a1vbcode.com/vbtip-149.asp
MUCH shorter...so, it's a plus for me! :^)

To answer your questions:
Where in the registry - yes, HKCU\MyCompanyName\MyAppName
Yes, this must be the password for the currently logged on user..."IDEALLY" I'd love to just grab the password that was used to logon, but doubt this is possible, or at least not easy for a beginner like me.
But, I'm pulling the logon user info from an Ldap query and then requesting their password from two text boxes (2nd to confirm).  Only one logon would be used for this - the user's domain credentials...

Thanx for the info...will post back if I get stuck with the above - it seems fairly simply so....<fingers crossed>
Mike TomlinsonHigh School Computer Science, Computer Applications, Digital Design, and Mathematics TeacherCommented:
Also take a peek at my code here that demonstrates another simple MD5 and 3DES implementation:
http://www.experts-exchange.com/Programming/Programming_Languages/Dot_Net/VB_DOT_NET/Q_21586468.html

CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

sirbountyAuthor Commented:
Now you're overloading my brain! lol!

Good info to know though - I might just have a use for it in the not-so-distant-future.
I think I need to get my feet wet in security though- been putting that one off for far too long now...
sirbountyAuthor Commented:
Got 'sorta' past the other problem...(or I've got pending questions on them anyway)...I started from scratch.
Anywho...
http://www.a1vbcode.com/vbtip-149.asp is super-easy!  I have absolutely no clue what it's doing exactly, but it wrote my hashed (is that the right term?) password to the registry...

So, final bit - um, how do I retrieve it in un-hashed form, so I can use it in applying credentials? :$
Mike TomlinsonHigh School Computer Science, Computer Applications, Digital Design, and Mathematics TeacherCommented:
LOL...I was wondering when you were going to ask that question:

    "how do I retrieve it in un-hashed form"

You can't.

MD5 is what is known as a "one way hashing algorithm".  You pass in a string and it gives a hash back.  Theoretically, it is "computationally infeasible" to get the original string back.

So what is it good for?...

Well, you hash the password and store the hash.  Then, even if the password database is compromised, the password is still safe because you can't get the original string back from the hash.  The only way to determine the original password would be to enumerate all possible passwords and hash each one looking for a match against the stolen hash value.

So how do you use it?...

When the user logs in again, they enter their password.  You then hash this "challenge password" and compare that hash against the stored hash.  If they match, then the user must have entered the correct password.

If you want to be able to encrypt/decrypt (not hash) the password then you need 3DES or something similar.  An ecryption algorithm uses a KEY to encrypt the string.  If you supply the correct KEY then you can again decrypt the string to its original form.

~IM

sirbountyAuthor Commented:
Arg - I don't know what I want darnit... :$

Here's the deal - I've got this program to keep my vpn connection going...it's been working 'for me'...but I compiled it with my password in clear text...
Now a coworker wants it, and we were talking about storing the password in the registry in some sort of encrypted format.  He suggested md5.  He usually knows what he's talking about...

To reconnect the vpn - I use a shell, thus I pass the password to it.
My goal was to be able to have the user supply their password - store it for use in my shell - but not expose it outside of the app...

So am I barking up the wrong tree again?
sirbountyAuthor Commented:
So, essentially, I wanted to use that 'stored' password until it expired...sounds like I can't...
But, if I was to change this to a one-time, when it's initiated, gimme-your-password, app, this would work...but then what would be the point of even storing it in the registry? : (
Mike TomlinsonHigh School Computer Science, Computer Applications, Digital Design, and Mathematics TeacherCommented:
Exactly...sounds like MD5 is not for you.

3DES wouldn't be a bad choice...take a look again at the link I gave you:
http://www.experts-exchange.com/Programming/Programming_Languages/Dot_Net/VB_DOT_NET/Q_21586468.html

First, ask the user for their password.

Next, with a hard coded key in your application, encrypt the password and store it in the registry.  Finally, you can pull it back out, decrypt it with your hard coded key and pass the password to you VPN app.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sirbountyAuthor Commented:
That's really cool... :^)

Not exactly sure I'm using it correctly though...

In my form, I've got my Ok_Click event with
Dim Encrypt As New clsEncryption

and then when I write to the registry, I use

writetoregistry(strKey, strValueName, (clsEncryption.Encrypt(strPassword, strHashKey))

and if I want to read it back, I'm using:

strPassword=ReadfromRegistry(strKey, strValueName)
strPassword=clsEncryption.Decrypt(strPassword, strHashKey)

Is that 'proper'?  It's working...just want to make sure I'm not using a spoon to dig a hole here... ;^)
Mike TomlinsonHigh School Computer Science, Computer Applications, Digital Design, and Mathematics TeacherCommented:
That should be fine.

Take a peek in the registry to make sure it isn't a plain text password.     ;)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Visual Basic.NET

From novice to tech pro — start learning today.