Solved

Simple Password Protect Windows Form App

Posted on 2008-10-01
10
564 Views
Last Modified: 2012-05-05
Hello,

I need a simple method to password protect a Windows Form application.  I am thinking something like an encrypted password in a text file that is produced in an installer class.

Do anyone have any suggestions and even more useful any examples?

Thanks,

MAC
0
Comment
Question by:mac-will
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 25

Expert Comment

by:SStory
Comment Utility
Protect it from whom?  If you mean keep out the common user, then it shouldn't be very hard.  Otherwise, you must realize that dot net code can be decompiled by anyone using ILDASM that comes with the dot net runtime.

That being said your code will be visible.  To get around this you'd need to obfuscate the code.  Hackers think in different terms than those doing protection. All you need do if find the machine code point at which we jump to the app entrance and disable the code that doesn't allow that.  This can many times be very simple to do.

It depends on from whom you are protecting it.  A simple way to produces an encrypted password would be to ask for the password, then use build in encryption to encrypt the password, using the password as the encryption key.  Store that value somewhere and the next time they login do the same, except instead of storing it, look it up and compare the two encrypted values. If they match...success...else failure.


Examples:
http://www.devarticles.com/c/a/VB.Net/String-Encryption-With-Visual-Basic-.NET/
http://www.codeproject.com/KB/security/SimpleEncryption.aspx
http://www.freevbcode.com/ShowCode.Asp?ID=4520
http://www.devx.com/security/Article/7019
http://www.example-code.com/vbdotnet/encryption.asp
0
 
LVL 49

Expert Comment

by:Gustav Brock
Comment Utility
Well, a video(!) exists:

http://www.youtube.com/watch?v=ujQPTS0DsNA

/gustav
0
 
LVL 26

Expert Comment

by:Anurag Thakur
Comment Utility
Protect it from whom? i will still ask this question raised by SSTORY, then only we might be able to give a suitable solution
0
 
LVL 29

Assisted Solution

by:anarki_jimbel
anarki_jimbel earned 50 total points
Comment Utility
I believe hashing the password is better approach than encryption.

System.web namespace provides a very convenient way to create a hashed string from a user input value. A common issue with storing passwords in flat file or even the database, is that unwanted eyes can potential see your users passwords and hack into your web application. In order to hide users passwords in the database, you can create a hashed value of the password and store it in the database. The benefit of storing a hashed value for your passwords is that other people will never know the actual password. The drawback of this approach is of course if you forget the password, its very hard to recover.

If you have windows form app - you still may use this approach. Just add a reference to System.Web and add using statement:
using System.Web.Security;

Just imagine you store a hashed password in a file, and read it somehow. Now see the snippet  - it's very easy deal with hashed passwords:

        private void button1_Click(object sender, EventArgs e)

        {

            // this is hashed "hello" password 

            string passwordSavedInFile = "AAF4C61DDCC5E8A2DABEDE0F3B482CD9AEA9434D";

            // enter "hello" in the textbox

            string strHashedPassword = FormsAuthentication.HashPasswordForStoringInConfigFile(textBox1.Text, "sha1");

            System.Diagnostics.Debug.WriteLine(strHashedPassword);

            if (passwordSavedInFile == strHashedPassword)

            {

                MessageBox.Show("Correct Password");

            }

            else

            {

                MessageBox.Show("Wrong Password");

            }

        }

Open in new window

0
 
LVL 8

Author Comment

by:mac-will
Comment Utility
Thanks,

The intention is a simple protection.  I understand that it could be disassembled and hacked into by 'advanced' users but this is more of a tamper proff type of thing.  In other words I am protecting the application from unauthorized use by people who might legitimately be authorized to use the application.

anarki_jimbel, why would a hashing algorithm be better - I would thing encryption is better?

Thanks for the video link but this is a little basic for my needs.



SStory,  Are you suggesting encryption of a password with the key as a password?

ENCRYPT(textToIncrypt, key)  --> ENCRYPT("myPassword", "myPassword")?

This might actually work, is there anything wrong with this?

Thanks

MAC
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 29

Expert Comment

by:anarki_jimbel
Comment Utility
I believe it's a matter of preferences. But in web applications this is used quite often. I'll explain why.
A password is stored in a database (database type does not matter). Some bad guy (hucker :)) gets an access to a database to retrieve passwords. If passwords are store in plain text - OK, that's finish. Encrypted string is hard to hack but... It is possible to imagine scenario when encrypted password can be restored. hashing is one more step towards security - this is kind of one way encryption. No one can restore the password! (I wrote already about the drawbacks).

Read:
http://davidhayden.com/blog/dave/archive/2004/02/16/157.aspx

And at last - it is simple technique!
0
 
LVL 49

Expert Comment

by:Gustav Brock
Comment Utility
> Thanks for the video link but this is a little basic for my needs.

Yes, sorry, I didn't follow it to the end ... thought this aussie guy would dig a bit further.

That said, I vote for the hash too because of simplicity and the other reasons as mentioned.

> The drawback of this approach is of course if you forget the password,
> its very hard to recover.

It is in fact close to impossible if the hash is an MD5 or similar. The way to resolve this common issue (forgotten password) is to have one or more users with admin rights granted who can reset the password. This is done by erasing the stored hash. Then - at first login - the user has to be prompted for a new password. Very simple.
Perhaps best of all, this concept is easy to explain and prove for users or auditors.

/gustav
0
 
LVL 25

Accepted Solution

by:
SStory earned 200 total points
Comment Utility
That's exactly what I am suggesting.  There is never a need to decode the password.
Encrypt it the first time by itself.  Store that somewhere.

The next time they log in, take their password, encrypt it by itself and compare it to what is stored. If it matches, they used the same password.  This is good because even if someone finds and reads the password, it is encrypted gibberish and typing that into the password textbox would not let them log in.

HTH,

shane
0
 
LVL 25

Expert Comment

by:SStory
Comment Utility
Thanks for the points, but I am really curious as to why you gave me a B.
I gave you a solution and many links on how to do it.  Did you want me to write the code for you?
0
 
LVL 49

Expert Comment

by:Gustav Brock
Comment Utility
Don't expect too much, Shane. It's just for the fun ...

/gustav
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Exception in Log4Net 1 18
Not needed 13 53
How to use xmlReader and idatareader  ? 4 44
fomat Json objects 6 15
Windows Script Host (WSH) has been part of Windows since Windows NT4. Windows Script Host provides architecture for building dynamic scripts that consist of a core object model, scripting hosts, and scripting engines. The key components of Window…
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
This tutorial covers a step-by-step guide to install VisualVM launcher in eclipse.
This tutorial explains how to use the VisualVM tool for the Java platform application. This video goes into detail on the Threads, Sampler, and Profiler tabs.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now