• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 645
  • Last Modified:

Simple Password Protect Windows Form App

Hello,

I need a simple method to password protect a Windows Form application.  I am thinking something like an encrypted password in a text file that is produced in an installer class.

Do anyone have any suggestions and even more useful any examples?

Thanks,

MAC
0
mac-will
Asked:
mac-will
  • 3
  • 3
  • 2
  • +2
2 Solutions
 
SStoryCommented:
Protect it from whom?  If you mean keep out the common user, then it shouldn't be very hard.  Otherwise, you must realize that dot net code can be decompiled by anyone using ILDASM that comes with the dot net runtime.

That being said your code will be visible.  To get around this you'd need to obfuscate the code.  Hackers think in different terms than those doing protection. All you need do if find the machine code point at which we jump to the app entrance and disable the code that doesn't allow that.  This can many times be very simple to do.

It depends on from whom you are protecting it.  A simple way to produces an encrypted password would be to ask for the password, then use build in encryption to encrypt the password, using the password as the encryption key.  Store that value somewhere and the next time they login do the same, except instead of storing it, look it up and compare the two encrypted values. If they match...success...else failure.


Examples:
http://www.devarticles.com/c/a/VB.Net/String-Encryption-With-Visual-Basic-.NET/
http://www.codeproject.com/KB/security/SimpleEncryption.aspx
http://www.freevbcode.com/ShowCode.Asp?ID=4520
http://www.devx.com/security/Article/7019
http://www.example-code.com/vbdotnet/encryption.asp
0
 
Gustav BrockCIOCommented:
Well, a video(!) exists:

http://www.youtube.com/watch?v=ujQPTS0DsNA

/gustav
0
 
Anurag ThakurCommented:
Protect it from whom? i will still ask this question raised by SSTORY, then only we might be able to give a suitable solution
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
anarki_jimbelCommented:
I believe hashing the password is better approach than encryption.

System.web namespace provides a very convenient way to create a hashed string from a user input value. A common issue with storing passwords in flat file or even the database, is that unwanted eyes can potential see your users passwords and hack into your web application. In order to hide users passwords in the database, you can create a hashed value of the password and store it in the database. The benefit of storing a hashed value for your passwords is that other people will never know the actual password. The drawback of this approach is of course if you forget the password, its very hard to recover.

If you have windows form app - you still may use this approach. Just add a reference to System.Web and add using statement:
using System.Web.Security;

Just imagine you store a hashed password in a file, and read it somehow. Now see the snippet  - it's very easy deal with hashed passwords:

        private void button1_Click(object sender, EventArgs e)
        {
            // this is hashed "hello" password 
            string passwordSavedInFile = "AAF4C61DDCC5E8A2DABEDE0F3B482CD9AEA9434D";
            // enter "hello" in the textbox
            string strHashedPassword = FormsAuthentication.HashPasswordForStoringInConfigFile(textBox1.Text, "sha1");
            System.Diagnostics.Debug.WriteLine(strHashedPassword);
            if (passwordSavedInFile == strHashedPassword)
            {
                MessageBox.Show("Correct Password");
            }
            else
            {
                MessageBox.Show("Wrong Password");
            }
        }

Open in new window

0
 
mac-willAuthor Commented:
Thanks,

The intention is a simple protection.  I understand that it could be disassembled and hacked into by 'advanced' users but this is more of a tamper proff type of thing.  In other words I am protecting the application from unauthorized use by people who might legitimately be authorized to use the application.

anarki_jimbel, why would a hashing algorithm be better - I would thing encryption is better?

Thanks for the video link but this is a little basic for my needs.



SStory,  Are you suggesting encryption of a password with the key as a password?

ENCRYPT(textToIncrypt, key)  --> ENCRYPT("myPassword", "myPassword")?

This might actually work, is there anything wrong with this?

Thanks

MAC
0
 
anarki_jimbelCommented:
I believe it's a matter of preferences. But in web applications this is used quite often. I'll explain why.
A password is stored in a database (database type does not matter). Some bad guy (hucker :)) gets an access to a database to retrieve passwords. If passwords are store in plain text - OK, that's finish. Encrypted string is hard to hack but... It is possible to imagine scenario when encrypted password can be restored. hashing is one more step towards security - this is kind of one way encryption. No one can restore the password! (I wrote already about the drawbacks).

Read:
http://davidhayden.com/blog/dave/archive/2004/02/16/157.aspx

And at last - it is simple technique!
0
 
Gustav BrockCIOCommented:
> Thanks for the video link but this is a little basic for my needs.

Yes, sorry, I didn't follow it to the end ... thought this aussie guy would dig a bit further.

That said, I vote for the hash too because of simplicity and the other reasons as mentioned.

> The drawback of this approach is of course if you forget the password,
> its very hard to recover.

It is in fact close to impossible if the hash is an MD5 or similar. The way to resolve this common issue (forgotten password) is to have one or more users with admin rights granted who can reset the password. This is done by erasing the stored hash. Then - at first login - the user has to be prompted for a new password. Very simple.
Perhaps best of all, this concept is easy to explain and prove for users or auditors.

/gustav
0
 
SStoryCommented:
That's exactly what I am suggesting.  There is never a need to decode the password.
Encrypt it the first time by itself.  Store that somewhere.

The next time they log in, take their password, encrypt it by itself and compare it to what is stored. If it matches, they used the same password.  This is good because even if someone finds and reads the password, it is encrypted gibberish and typing that into the password textbox would not let them log in.

HTH,

shane
0
 
SStoryCommented:
Thanks for the points, but I am really curious as to why you gave me a B.
I gave you a solution and many links on how to do it.  Did you want me to write the code for you?
0
 
Gustav BrockCIOCommented:
Don't expect too much, Shane. It's just for the fun ...

/gustav
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now