[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Simple Password Protect Windows Form App

Posted on 2008-10-01
10
Medium Priority
?
630 Views
Last Modified: 2012-05-05
Hello,

I need a simple method to password protect a Windows Form application.  I am thinking something like an encrypted password in a text file that is produced in an installer class.

Do anyone have any suggestions and even more useful any examples?

Thanks,

MAC
0
Comment
Question by:mac-will
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 25

Expert Comment

by:SStory
ID: 22618231
Protect it from whom?  If you mean keep out the common user, then it shouldn't be very hard.  Otherwise, you must realize that dot net code can be decompiled by anyone using ILDASM that comes with the dot net runtime.

That being said your code will be visible.  To get around this you'd need to obfuscate the code.  Hackers think in different terms than those doing protection. All you need do if find the machine code point at which we jump to the app entrance and disable the code that doesn't allow that.  This can many times be very simple to do.

It depends on from whom you are protecting it.  A simple way to produces an encrypted password would be to ask for the password, then use build in encryption to encrypt the password, using the password as the encryption key.  Store that value somewhere and the next time they login do the same, except instead of storing it, look it up and compare the two encrypted values. If they match...success...else failure.


Examples:
http://www.devarticles.com/c/a/VB.Net/String-Encryption-With-Visual-Basic-.NET/
http://www.codeproject.com/KB/security/SimpleEncryption.aspx
http://www.freevbcode.com/ShowCode.Asp?ID=4520
http://www.devx.com/security/Article/7019
http://www.example-code.com/vbdotnet/encryption.asp
0
 
LVL 52

Expert Comment

by:Gustav Brock
ID: 22618909
Well, a video(!) exists:

http://www.youtube.com/watch?v=ujQPTS0DsNA

/gustav
0
 
LVL 26

Expert Comment

by:Anurag Thakur
ID: 22618925
Protect it from whom? i will still ask this question raised by SSTORY, then only we might be able to give a suitable solution
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
LVL 30

Assisted Solution

by:anarki_jimbel
anarki_jimbel earned 150 total points
ID: 22619691
I believe hashing the password is better approach than encryption.

System.web namespace provides a very convenient way to create a hashed string from a user input value. A common issue with storing passwords in flat file or even the database, is that unwanted eyes can potential see your users passwords and hack into your web application. In order to hide users passwords in the database, you can create a hashed value of the password and store it in the database. The benefit of storing a hashed value for your passwords is that other people will never know the actual password. The drawback of this approach is of course if you forget the password, its very hard to recover.

If you have windows form app - you still may use this approach. Just add a reference to System.Web and add using statement:
using System.Web.Security;

Just imagine you store a hashed password in a file, and read it somehow. Now see the snippet  - it's very easy deal with hashed passwords:

        private void button1_Click(object sender, EventArgs e)
        {
            // this is hashed "hello" password 
            string passwordSavedInFile = "AAF4C61DDCC5E8A2DABEDE0F3B482CD9AEA9434D";
            // enter "hello" in the textbox
            string strHashedPassword = FormsAuthentication.HashPasswordForStoringInConfigFile(textBox1.Text, "sha1");
            System.Diagnostics.Debug.WriteLine(strHashedPassword);
            if (passwordSavedInFile == strHashedPassword)
            {
                MessageBox.Show("Correct Password");
            }
            else
            {
                MessageBox.Show("Wrong Password");
            }
        }

Open in new window

0
 
LVL 8

Author Comment

by:mac-will
ID: 22620983
Thanks,

The intention is a simple protection.  I understand that it could be disassembled and hacked into by 'advanced' users but this is more of a tamper proff type of thing.  In other words I am protecting the application from unauthorized use by people who might legitimately be authorized to use the application.

anarki_jimbel, why would a hashing algorithm be better - I would thing encryption is better?

Thanks for the video link but this is a little basic for my needs.



SStory,  Are you suggesting encryption of a password with the key as a password?

ENCRYPT(textToIncrypt, key)  --> ENCRYPT("myPassword", "myPassword")?

This might actually work, is there anything wrong with this?

Thanks

MAC
0
 
LVL 30

Expert Comment

by:anarki_jimbel
ID: 22621311
I believe it's a matter of preferences. But in web applications this is used quite often. I'll explain why.
A password is stored in a database (database type does not matter). Some bad guy (hucker :)) gets an access to a database to retrieve passwords. If passwords are store in plain text - OK, that's finish. Encrypted string is hard to hack but... It is possible to imagine scenario when encrypted password can be restored. hashing is one more step towards security - this is kind of one way encryption. No one can restore the password! (I wrote already about the drawbacks).

Read:
http://davidhayden.com/blog/dave/archive/2004/02/16/157.aspx

And at last - it is simple technique!
0
 
LVL 52

Expert Comment

by:Gustav Brock
ID: 22621770
> Thanks for the video link but this is a little basic for my needs.

Yes, sorry, I didn't follow it to the end ... thought this aussie guy would dig a bit further.

That said, I vote for the hash too because of simplicity and the other reasons as mentioned.

> The drawback of this approach is of course if you forget the password,
> its very hard to recover.

It is in fact close to impossible if the hash is an MD5 or similar. The way to resolve this common issue (forgotten password) is to have one or more users with admin rights granted who can reset the password. This is done by erasing the stored hash. Then - at first login - the user has to be prompted for a new password. Very simple.
Perhaps best of all, this concept is easy to explain and prove for users or auditors.

/gustav
0
 
LVL 25

Accepted Solution

by:
SStory earned 600 total points
ID: 22624286
That's exactly what I am suggesting.  There is never a need to decode the password.
Encrypt it the first time by itself.  Store that somewhere.

The next time they log in, take their password, encrypt it by itself and compare it to what is stored. If it matches, they used the same password.  This is good because even if someone finds and reads the password, it is encrypted gibberish and typing that into the password textbox would not let them log in.

HTH,

shane
0
 
LVL 25

Expert Comment

by:SStory
ID: 22626175
Thanks for the points, but I am really curious as to why you gave me a B.
I gave you a solution and many links on how to do it.  Did you want me to write the code for you?
0
 
LVL 52

Expert Comment

by:Gustav Brock
ID: 22626234
Don't expect too much, Shane. It's just for the fun ...

/gustav
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Entity Framework is a powerful tool to help you interact with the DataBase but still doesn't help much when we have a Stored Procedure that returns more than one resultset. The solution takes some of out-of-the-box thinking; read on!
Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
This theoretical tutorial explains exceptions, reasons for exceptions, different categories of exception and exception hierarchy.
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question