C# - Securely storing a password locally

c# .net security passwords kiosk
23,931

Solution 1

The standard method for storing a password in a configuration file is to use a strong hash algorithm. Read the answer at How to store passwords in Winforms application? and maybe the wiki article at https://en.wikipedia.org/wiki/Cryptographic_hash_function

Solution 2

Store a secure hash of the password, it doesn't need to be reversible.

When someone enters a password you hash that by the same algorithm and check it matches the hash.

Because you never store the actual password it's secure.

I recommend using a key stretching algorithm like PBKDF2. .Net has support for this using Rfc2898DeriveBytes or you can use System.Web.Helpers.Crypto.

Solution 3

I have to disagree with Brian, because as of now the standard method for storing passwords in any database is to "salt" (see Wikipedia for a detailed explanation) the password with a randomly generated value and store the hashed value and the salt in your "database" (see remarks). The salt is not a secret so you can store it in plain text. Whenever the user enters the password you read the salt from your file, apply it to the entered password and then apply your chosen hash algorithm. Then you compare the results with your stored hash. If they match, the user is authenticated. For a good (and entertaining :)) explanation why "just" hashing the password isn't enough, see: How NOT to store passwords! For a tutorial implementation of the salting and hashing process in C# see: C# Salting & Hashing Passwords

You can also find a good way to do this here: https://stackoverflow.com/a/12657970


For a quick reference, the process in pseudocode:

First password storage:

//get user input
username = GetUserName
password = GetPassword

//generate random salt
salt = GetRandomValue

//combine password and salt and apply hash
hashedPassword = Hash(password + salt)

//store hash value and salt in database
AddToDatabase(username, hashedPassword, salt)


User login:

//get user input
username = GetUserName
password = GetPassword

//read salt from database
salt = GetSaltFromDatabase(username)

//combine password and salt and apply hash
hashedPassword = Hash(password + salt)

//compare hash to stored hash value
correctHash = GetHashFromDatabase(username)
if (hashedPassword == correctHash) then
    passwordIsCorrect = True
else
    passwordIsCorrect = False
end if


Remarks:

  • This assumes that your usernames are unique as they are used as identifying key in your "database".
  • The "database" doesn't have to be any kind of "real" database, it can also be your configuration file or a plain text file.

Solution 4

You can store a hash of your key and a password somewhere, for example in some local file. When person input key and password, you get hashes for this values and compare it with hashes in your file.

Solution 5

You need a hash of the password and validate using the hashed text. Adding a salt can make your password more secure. In .Net, you can use System.Security.Cryptography.RNGCryptoServiceProvider .

Here is a good article talking about how to store your passwords and I use its way in my web application.

Share:
23,931
romatthe
Author by

romatthe

Updated on July 09, 2022

Comments

  • romatthe
    romatthe almost 2 years

    I'm creating a C# application that will lock out functionality (key combinations, windows task bar, etc.) in a Kiosk-style environment. One of the requirements is that some people should still be able to break out of the application using a key combination and a password.

    The application itself is completely done, but I have not found a good way to store and check against a password. Everything should be stored locally (there is not check against a network database or whatever). How can I define a password for unlocking my application while also making this flexible (the ability to change the password without recompiling the application). How can I accomplish this in a secure way?

  • Keith
    Keith almost 11 years
    Good link, but answers shouldn't just be the link and nothing more.
  • Oscar
    Oscar almost 11 years
    There is a full article, much better than whatever short explanation i can give here ;-)
  • Keith
    Keith almost 11 years
    maybe, but links die off over time. By all means link to a longer article, but the answer should be complete should that link change.
  • Marcus Mangelsdorf
    Marcus Mangelsdorf about 8 years
    Note, that you should always salt your passwords before hashing to avoid rainbowtable attacks!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to hash a password with SHA512
Hide the taskbar using C#
dcomcnfg functionality programmatically
Password hashing in a C# Windows app, absent ASP.NET's FormsAuthentication?
HttpWebRequest + Windows Auth - NetworkCredential just doesn't work
How to present credentials in order to open file?
X509 guide/tutorial in C#
Building an ASP.NET MVC Master Page Menu Dynamically, Based on the current User's "Role"
MD5 hash with salt for keeping password in DB in C#
create zip file in .net with password