How to store passwords in Winforms application?

I have some code similar to this in a winforms application I was contacting quiz a customer is mail box Storage Quota.

DirectoryEntry mbstore = new DirectoryEntry(
      @"LDAP://" + strhome, 
      m_serviceaccount, 
      [m_pwd], 
      AuthenticationTypes.Secure);

No issue what strategy I attempted (like SecureString), I am conveniently able to see the password ( m_pwd ) either making use of Reflector or making use of strings tab of Process Explorer for the executable.

I recognize I can place this code on the web server or tighten up the security making use of devices like delegation and also offering just the called for advantages to the solution account.

Can someone recommend a sensibly safe and secure means to store the password in the neighborhood application without disclosing the password to cyberpunks?

Hashing is not feasible given that I require to recognize the specific password (not simply the hash for matching objective). Encryption/Decryption devices are not functioning given that they are equipment reliant.

32
2022-06-07 14:37:57
Source Share
Answers: 3

I located this publication by keith Brown The.NET Developer is Guide to Windows Security. It has some excellent examples covering all sort of security circumstances. Free Online version is additionally readily available.

5
2022-06-08 05:12:25
Source

If you store it as a safe and secure string and also conserve the safe and secure string to a documents (perhaps making use of Isolated Storage, the only time you will certainly have a simple message password is when you decrypt it to create your mbstore. However, the erector does not take a SecureString or a Credential object.

2
2022-06-07 15:05:31
Source

The sanctified method is to make use of CryptoAPI and also the Data Protection APIs.

To secure, make use of something similar to this (C+npls ):

DATA_BLOB blobIn, blobOut;
blobIn.pbData=(BYTE*)data;
blobIn.cbData=wcslen(data)*sizeof(WCHAR);

CryptProtectData(&blobIn, description, NULL, NULL, NULL, CRYPTPROTECT_LOCAL_MACHINE | CRYPTPROTECT_UI_FORBIDDEN, &blobOut);
_encrypted=blobOut.pbData;
_length=blobOut.cbData;

Decryption is the reverse:

DATA_BLOB blobIn, blobOut;
blobIn.pbData=const_cast<BYTE*>(data);
blobIn.cbData=length;

CryptUnprotectData(&blobIn, NULL, NULL, NULL, NULL, CRYPTPROTECT_UI_FORBIDDEN, &blobOut);

std::wstring _decrypted;
_decrypted.assign((LPCWSTR)blobOut.pbData,(LPCWSTR)blobOut.pbData+blobOut.cbData/sizeof(WCHAR));

If you do not define CRYPTPROTECT_LOCAL_MACHINE after that the encrypted password can be firmly saved in the computer system registry or config documents and also just you can decrypt it. If you define LOCAL_MACHINE, after that any person with accessibility to the equipment can get it.

25
2022-06-07 15:05:22
Source