Simple Password Protect Windows Form App
Hello,
I need a simple method to password protect a Windows Form application. I am thinking something like an encrypted password in a text file that is produced in an installer class.
Do anyone have any suggestions and even more useful any examples?
Thanks,
MAC
I need a simple method to password protect a Windows Form application. I am thinking something like an encrypted password in a text file that is produced in an installer class.
Do anyone have any suggestions and even more useful any examples?
Thanks,
MAC
Protect it from whom? i will still ask this question raised by SSTORY, then only we might be able to give a suitable solution
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks,
The intention is a simple protection. I understand that it could be disassembled and hacked into by 'advanced' users but this is more of a tamper proff type of thing. In other words I am protecting the application from unauthorized use by people who might legitimately be authorized to use the application.
anarki_jimbel, why would a hashing algorithm be better - I would thing encryption is better?
Thanks for the video link but this is a little basic for my needs.
SStory, Are you suggesting encryption of a password with the key as a password?
ENCRYPT(textToIncrypt, key) --> ENCRYPT("myPassword", "myPassword")?
This might actually work, is there anything wrong with this?
Thanks
MAC
The intention is a simple protection. I understand that it could be disassembled and hacked into by 'advanced' users but this is more of a tamper proff type of thing. In other words I am protecting the application from unauthorized use by people who might legitimately be authorized to use the application.
anarki_jimbel, why would a hashing algorithm be better - I would thing encryption is better?
Thanks for the video link but this is a little basic for my needs.
SStory, Are you suggesting encryption of a password with the key as a password?
ENCRYPT(textToIncrypt, key) --> ENCRYPT("myPassword", "myPassword")?
This might actually work, is there anything wrong with this?
Thanks
MAC
I believe it's a matter of preferences. But in web applications this is used quite often. I'll explain why.
A password is stored in a database (database type does not matter). Some bad guy (hucker :)) gets an access to a database to retrieve passwords. If passwords are store in plain text - OK, that's finish. Encrypted string is hard to hack but... It is possible to imagine scenario when encrypted password can be restored. hashing is one more step towards security - this is kind of one way encryption. No one can restore the password! (I wrote already about the drawbacks).
Read:
http://davidhayden.com/blog/dave/archive/2004/02/16/157.aspx
And at last - it is simple technique!
A password is stored in a database (database type does not matter). Some bad guy (hucker :)) gets an access to a database to retrieve passwords. If passwords are store in plain text - OK, that's finish. Encrypted string is hard to hack but... It is possible to imagine scenario when encrypted password can be restored. hashing is one more step towards security - this is kind of one way encryption. No one can restore the password! (I wrote already about the drawbacks).
Read:
http://davidhayden.com/blog/dave/archive/2004/02/16/157.aspx
And at last - it is simple technique!
> Thanks for the video link but this is a little basic for my needs.
Yes, sorry, I didn't follow it to the end ... thought this aussie guy would dig a bit further.
That said, I vote for the hash too because of simplicity and the other reasons as mentioned.
> The drawback of this approach is of course if you forget the password,
> its very hard to recover.
It is in fact close to impossible if the hash is an MD5 or similar. The way to resolve this common issue (forgotten password) is to have one or more users with admin rights granted who can reset the password. This is done by erasing the stored hash. Then - at first login - the user has to be prompted for a new password. Very simple.
Perhaps best of all, this concept is easy to explain and prove for users or auditors.
/gustav
Yes, sorry, I didn't follow it to the end ... thought this aussie guy would dig a bit further.
That said, I vote for the hash too because of simplicity and the other reasons as mentioned.
> The drawback of this approach is of course if you forget the password,
> its very hard to recover.
It is in fact close to impossible if the hash is an MD5 or similar. The way to resolve this common issue (forgotten password) is to have one or more users with admin rights granted who can reset the password. This is done by erasing the stored hash. Then - at first login - the user has to be prompted for a new password. Very simple.
Perhaps best of all, this concept is easy to explain and prove for users or auditors.
/gustav
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks for the points, but I am really curious as to why you gave me a B.
I gave you a solution and many links on how to do it. Did you want me to write the code for you?
I gave you a solution and many links on how to do it. Did you want me to write the code for you?
Don't expect too much, Shane. It's just for the fun ...
/gustav
/gustav
That being said your code will be visible. To get around this you'd need to obfuscate the code. Hackers think in different terms than those doing protection. All you need do if find the machine code point at which we jump to the app entrance and disable the code that doesn't allow that. This can many times be very simple to do.
It depends on from whom you are protecting it. A simple way to produces an encrypted password would be to ask for the password, then use build in encryption to encrypt the password, using the password as the encryption key. Store that value somewhere and the next time they login do the same, except instead of storing it, look it up and compare the two encrypted values. If they match...success...else failure.
Examples:
http://www.devarticles.com/c/a/VB.Net/String-Encryption-With-Visual-Basic-.NET/
http://www.codeproject.com/KB/security/SimpleEncryption.aspx
http://www.freevbcode.com/ShowCode.Asp?ID=4520
http://www.devx.com/security/Article/7019
http://www.example-code.com/vbdotnet/encryption.asp