Michael Wittenburg

Hi,

The app I'm working on is a Windows Forms app that needs to remember a user's password if the appropriate checkbox is checked.

The app does the following:

  1. Generates an RSA keypair using RSACryptoServiceProvider
  2. Saves that keypair to a key container using CspParameters.KeyContainer
  3. Uses that keypair to encrypt the user's password
  4. Saves the encrypted password in the app.config file
  5. Creates an SHA2 hash of the password using SHA512Managed
  6. Compares that hash value to the password hash stored in the database

Is this acceptable best practice Is a config file a suitable place to store an encrypted password (the same process is used to store the connection string) I get the fact that the kepair is saved to the key store using the user's Windows credentials, so that's cool, I think.

If the process outlined above is deemed secure enough then, ok. Otherwise I will strip the "remember password" feature. It undermines the password hash in the database.

Wouldn't mind hearing how others are dealing with this on Vista. Thanks for any input.

Michael



Re: Security for Applications in Windows Vista Storing encrypted keys and passwords

AlexBB

Michael Wittenburg wrote:

Hi,

The app I'm working on is a Windows Forms app that needs to remember a user's password if the appropriate checkbox is checked.

The app does the following:

  1. Generates an RSA keypair using RSACryptoServiceProvider
  2. Saves that keypair to a key container using CspParameters.KeyContainer
  3. Uses that keypair to encrypt the user's password
  4. Saves the encrypted password in the app.config file
  5. Creates an SHA2 hash of the password using SHA512Managed
  6. Compares that hash value to the password hash stored in the database

Is this acceptable best practice Is a config file a suitable place to store an encrypted password (the same process is used to store the connection string) I get the fact that the kepair is saved to the key store using the user's Windows credentials, so that's cool, I think.

If the process outlined above is deemed secure enough then, ok. Otherwise I will strip the "remember password" feature. It undermines the password hash in the database.

Wouldn't mind hearing how others are dealing with this on Vista. Thanks for any input.

Michael

I implemented this link in full. The classes work fo me. I store my encrypted PWs and keys in Sql Server DB table. The table name is camuflaged also.

ms-help://MS.VSCC.v80/MS.MSDN.vAug06.en/dv_fxsecurity/html/0dbcbd8d-0dcf-40e9-9f0c-e3f162d35ccc.htm