[ACCEPTED]-How to store passwords in Winforms application?-passwords
The sanctified method is to use CryptoAPI 8 and the Data Protection APIs.
To encrypt, use 7 something like this (C++):
DATA_BLOB blobIn, blobOut; blobIn.pbData=(BYTE*)data; blobIn.cbData=wcslen(data)*sizeof(WCHAR); CryptProtectData(&blobIn, description, NULL, NULL, NULL, CRYPTPROTECT_LOCAL_MACHINE | CRYPTPROTECT_UI_FORBIDDEN, &blobOut); _encrypted=blobOut.pbData; _length=blobOut.cbData;
Decryption is 6 the opposite:
DATA_BLOB blobIn, blobOut; blobIn.pbData=const_cast<BYTE*>(data); blobIn.cbData=length; CryptUnprotectData(&blobIn, NULL, NULL, NULL, NULL, CRYPTPROTECT_UI_FORBIDDEN, &blobOut); std::wstring _decrypted; _decrypted.assign((LPCWSTR)blobOut.pbData,(LPCWSTR)blobOut.pbData+blobOut.cbData/sizeof(WCHAR));
If you don't specify CRYPTPROTECT_LOCAL_MACHINE 5 then the encrypted password can be securely 4 stored in the registry or config file and 3 only you can decrypt it. If you specify 2 LOCAL_MACHINE, then anyone with access to 1 the machine can get it.
As mentioned, the Data Protection API is 5 a good way to do this. Note that if you're 4 using .NET 2.0 or greater, you don't need 3 to use P/Invoke to invoke the DPAPI. The 2 framework wraps the calls with the System.Security.Cryptography.ProtectedData 1 class.
I found this book by keith Brown The .NET 3 Developer's Guide to Windows Security. It 2 has some good samples covering all kinds 1 of security scenarios. Free Online version is also available.
If you store it as a secure string and save 6 the secure string to a file (possibly using 5 Isolated Storage, the only time you will have a plain text 4 password is when you decrypt it to create 3 your mbstore. Unfortunately, the constructor 2 does not take a SecureString or a Credential 1 object.
More Related questions