Saving Passwords

[joe_pool_is]

What's the best method of saving a client's password?

For example, I have an FTP tool where the client has to supply a username
and password. I could just store the password in a local variable, but then
the client would need to re-supply that every time.

Is there a recommended way to store passwords on the PC?
Would I store in the registry, a binary file in the Application Data folder, or something else?

Thanks for helping.

 

[snarfblam]

I don't know where... I would say that that is up to you, but I would recommend hashing passwords so that they can never possibly (speaking realistically) be retrieved. Look into MD5 and SHA1 classes in System.Security.Cryptography.

 

[HJB417]

Isolated Storage

 

[joe_pool_is]

I don't know where... I would say that that is up to you, but I would recommend hashing passwords so that they can never possibly (speaking realistically) be retrieved. Look into MD5 and SHA1 classes in System.Security.Cryptography.

SHA1 or MD5 would prevent me being able to use the passwords to log the user in. Think of the Dial-Up networking dialog box where the user has the ability to check a box to remember their password. If Microsoft uses SHA1 or MD5 to store that information, how then do they retrieve it to log the person into their account later? I'm not sure about MD5, but I know that once a password has been "SHA1-ed" and stored, it can not be "un-SHA1-ed" to use again. I guess one way to do it would be to take what they input, SHA1 that, and use the new value as their password, which could be stored. ...but wouldn't that ruin the whole purpose behind using Cryptography?

Isolated Storage

I spent some time on that MSDN link, and it looks like an entire class on places where downloaded internet code is allowed to run and ways of storing "user, domain, and assemblies." I did a quick browse of it, but I didn't see what I was supposed to get from that. ...unless I missed something by skimming over it too fast. ...which happens sometimes.

A Dial-Up Networking class is basically what I am looking to impliment or copy for use in our company's simple (very simple) FTP utility. What technique does Dial-Up Networking use to store/retrieve passwords? Where is that information stored?

 

[PlausiblyDamp]

Is this a per user password or a system wide password or some combination?

You might want to look at some of the classes under System.Security.Cryptography which deal with encryption.

 

[HJB417]

Well, when you mentioned "Would I store in the registry, a binary file in the Application Data folder, or something else?"

Isolated storage would just be another medium to store the data.
http://msdn2.microsoft.com/en-us/library/3ak841sy.aspx for where the folders are located.

 

[joe_pool_is]

Is this a per user password or a system wide password or some combination?

I'd rather keep it a per user password, whereas Dial-Up Networking is system wide. If I could find out how Dial-Up Networking stores its passwords, I would feel relatively safe using the same techniques on a per user basis.

Right now, I'm storing it in the Registry as binary. If someone cares, it is easy to crack. I thought there might be a simple solution, but it doesn't look like it.

 

[PlausiblyDamp]

There have been well documented problems with how poorly Wndows 9x stores the passwords - several tools are freely available to recover them. Xp / 2000 manage this a whole lot better though.

If you are using the encryption classes provided by .Net the code is fairly simple and the resultant data should be encrypted sufficiently well.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncapi/html/encryptdecrypt2a.asp is a pretty good article on what is required and also looks at the idea of using an X.509 certificate to encrypt the data - this can reduce the weakness in how the key itself is stored.