Best practices for encrypting and decrypting passwords? (C#/.NET)

Question

I need to store and encrypt a password in a (preferably text) file, that I later need to be able to decrypt. The password is for another service that I use, and needs to be sent there in clear text (over SSL). This is not something I can change. What are best practices in this area? How can achieve some degree of protection of the password from malicious users?

My platform is WinForms with C#/.NET 3.5.

Thanks.

Answer 1

I am assuming that you want to encrypt the password as it will be on the users machine and they will (possibly) be able to find it and use it? If so you are basically screwed - no matter what you do, since it is in the users domain they will be able to get it and figure out the encryption and get the password for the encryption (remember that using Reflector - and it's clones - isn't out of the reach of most) and decrypt it and they have it. In short all you are doing is obfuscating the password, not securing it.

What I would recommend is actually move it out of the users control. For example put up a web service which communicates with the client and returns the password securely when requested. This also allows you to change the password, if needed in future as well as provides you with a way to validate legitimate users.

Answer 2

Why you need to decrypt the password? Usually a salted hash of the password is stored and compared. If you encrypt/decrypt the password you have the password as plain text again and this is dangerous. The hash should be salted to avoid duplicated hash if the some users have the same passwords. For the salt you can take the user name.

HashAlgorithm hash = new SHA256Managed(); string password = "12345"; string salt = "UserName";  // compute hash of the password prefixing password with the salt byte[] plainTextBytes = Encoding.UTF8.GetBytes(salt + password); byte[] hashBytes = hash.ComputeHash(plainTextBytes);  string hashValue = Convert.ToBase64String(hashBytes); 

You can calculate the salted hash of the password and store that within your file. During the authentication you calculate the hash from the user entries again and compare this hash with the stored password hash. Since it should be very difficult (its never impossible, always a matter of time) to get the plain text from a hash the password is protected from reading as plain text again.

Tip: Never store or send a password unencrypted. If you get a new password, encrypt is as soon as possible!

Answer 3

System.Security.Cryptography.ProtectedData in the System.Security assembly uses some Windows APIs to encrypt data with a password only it knows.

One possibly use of this would be to have a Windows service that actually does the operation requiring the password. The application that the user interacts with calls into the service via remoting or WCF. As long as the service used DataProtectionScope.CurrentUser and the service user is different from the logged on user, the password should be pretty safe.

This of course assumes that the users are running as limited users who cannot modify the service or run program as the service's user.

Answer 4

Because you are using WinForms and .Net, your code is going to be visible in MSIL - even if obfuscated, and therefore your decryption code is visible.

Who are you trying to hide the password from? Is the user of the app not supposed to know the password?

I think you are going to need to do some user validation, and I would be tempted to put keys to the decryption in a separate database and provide some other mechanism to get that out which should require authentication. That way you can get the decryption code out of the winforms app.

I would also suggest a separate service which runs to regularly change the encryption decryption keys and updates all passwords in the database.