I have some code like this in a winforms app I was writing to query a user's mail box Storage Quota.
DirectoryEntry mbstore = new DirectoryEntry( @"LDAP://" + strhome, m_serviceaccount, [m_pwd], AuthenticationTypes.Secure);
No matter what approach I tried (like SecureString
), I am easily able to see the password (m_pwd) either using Reflector or using strings tab of Process Explorer for the executable.
I know I could put this code on the server or tighten up the security using mechanisms like delegation and giving only the required privileges to the service account.
Can somebody suggest a reasonably secure way to store the password in the local application without revealing the password to hackers?
Hashing is not possible since I need to know the exact password (not just the hash for matching purpose). Encryption/Decryption mechanisms are not working since they are machine dependent.
Password manager applications Pros of using a password manager application: Best place to store passwords — A reputable password manager app is the best way to store passwords securely. A password manager allows you to easily create, manage, and access your secure passwords.
"We continue to support and innovate in Windows Forms runtime," said Microsoft's Igor Velikorossov last month in announcing what's new for WinForms in . NET 6. He's a software engineer on the dev team for the 19-year-old product, a free and open-source graphical (GUI) class library included as a part of .
They're encrypted using AES256 and the encryption key is saved in an operating system (OS) storage area. This technique is called local data encryption. Although not all of the browser's data is encrypted, sensitive data such as passwords, credit card numbers, and cookies are encrypted when they are saved.
The sanctified method is to use CryptoAPI and the Data Protection APIs.
To encrypt, use something like this (C++):
DATA_BLOB blobIn, blobOut; blobIn.pbData=(BYTE*)data; blobIn.cbData=wcslen(data)*sizeof(WCHAR); CryptProtectData(&blobIn, description, NULL, NULL, NULL, CRYPTPROTECT_LOCAL_MACHINE | CRYPTPROTECT_UI_FORBIDDEN, &blobOut); _encrypted=blobOut.pbData; _length=blobOut.cbData;
Decryption is the opposite:
DATA_BLOB blobIn, blobOut; blobIn.pbData=const_cast<BYTE*>(data); blobIn.cbData=length; CryptUnprotectData(&blobIn, NULL, NULL, NULL, NULL, CRYPTPROTECT_UI_FORBIDDEN, &blobOut); std::wstring _decrypted; _decrypted.assign((LPCWSTR)blobOut.pbData,(LPCWSTR)blobOut.pbData+blobOut.cbData/sizeof(WCHAR));
If you don't specify CRYPTPROTECT_LOCAL_MACHINE then the encrypted password can be securely stored in the registry or config file and only you can decrypt it. If you specify LOCAL_MACHINE, then anyone with access to the machine can get it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With