Frage

I have a winform application that have user login form. I store my users login information in database with 3 parameters: username, hashed password, salt:

salt = random string that will be stored in database for every user
hashed password = MD5(MD5(inputPassword) + MD5(salt))

I want to have check box named Remember me in my login form, that when a user enter the correct information and check it, for the next time user open the program, their user information will be entered automatically, user just need to click login button.

I can't save the entered password directly and next time fill the password textBox with it because i know some softwares that can read textBoxes like this and it's not secure.

Question:

  1. How I can do that without saving user password?

  2. If I need to save some information, How encrypt them?

  3. Is it necessary to change my security policy?

Note that this is Client/Server application and login form created for client side.

War es hilfreich?

Lösung

You can save the hashed value of password in your local database, and you can have a hidden check box, which tells you that you have filled the info from database which is already hashed and while asking authentication you do not need to hash the password value again.

EDIT If the user tries to enter the password manually then you can clear the text box value and alter the check box checked value, so that you know now the value is not the hashed one.

Andere Tipps

As per my understand, if you want to have remember me functionality then you should/must have your password stored in any form to authenticate the user.

One way is, have 2 functionality in your product. One to have a Hash and this will be in the database and I think you are doing it currently. Apart from this, also have functionality to Encrypt/Decrypt. When remember me is checked then just save the encrypted value in your app.config file. Now when ever the user opens the application again, check for the encrypted password and decrypt to authenticate user.

User dbw just posted my other approach :)

Hope it helps.

IMHO, this can't be done. If you are encrypting/hashing/salting and saving the password in DB then you can't really get it back in plain text.

Of course, you can trick the user (I will tell you how), but need to define what you want the user to do:

  • Enter at least password again (every time) even after user has asked to "remember me". This can be done easily, just retrieve the user id and keep password box blank. No tricks. Plain and Simple. Even Google do it for their sites.
  • Now trick time. Let the user enter the application without password but just username. You can just enter some default value in password box (user will think the password is actually retrieved but you will program such a way that whenever "remember me" option is selected, you will just auti-fill this info) and let the user go in. But this is not good option because potentially anyone using that system will be able to logon to your app. You will have to take a call as per your security requirement.

There is a functionality for this on windows. DataProtector and ProtectedData classes can be used to encrypt binary data based on machine information. You can specify the scope of the encryption to be User based or System based it can come in handy for this.

  1. If you think it's better you can only serialize the Login Token information not the User credentials.

  2. You just encrypt the serialized information and store that anywhere you want. And decrypt and deserialize it when you want to use it on startup.

  3. I think so, yes.

You can check them out here:

https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.dataprotector?view=netframework-4.7.2

https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.protecteddata?view=netframework-4.7.2

Lizenziert unter: CC-BY-SA mit Zuschreibung
Nicht verbunden mit StackOverflow
scroll top