C# - Securely storing a password locally

Question

I\'m creating a C# application that will lock out functionality (key combinations, windows task bar, etc.) in a Kiosk-style environment. One of the requirements is that some

Answer 1

I have to disagree with Brian, because as of now the standard method for storing passwords in any database is to "salt" (see Wikipedia for a detailed explanation) the password with a randomly generated value and store the hashed value and the salt in your "database" (see remarks). The salt is not a secret so you can store it in plain text. Whenever the user enters the password you read the salt from your file, apply it to the entered password and then apply your chosen hash algorithm. Then you compare the results with your stored hash. If they match, the user is authenticated. For a good (and entertaining :)) explanation why "just" hashing the password isn't enough, see: How NOT to store passwords! For a tutorial implementation of the salting and hashing process in C# see: C# Salting & Hashing Passwords

You can also find a good way to do this here: https://stackoverflow.com/a/12657970

For a quick reference, the process in pseudocode:

First password storage:

//get user input
username = GetUserName
password = GetPassword

//generate random salt
salt = GetRandomValue

//combine password and salt and apply hash
hashedPassword = Hash(password + salt)

//store hash value and salt in database
AddToDatabase(username, hashedPassword, salt)

User login:

//get user input
username = GetUserName
password = GetPassword

//read salt from database
salt = GetSaltFromDatabase(username)

//combine password and salt and apply hash
hashedPassword = Hash(password + salt)

//compare hash to stored hash value
correctHash = GetHashFromDatabase(username)
if (hashedPassword == correctHash) then
    passwordIsCorrect = True
else
    passwordIsCorrect = False
end if

Remarks:

• This assumes that your usernames are unique as they are used as identifying key in your "database".
• The "database" doesn't have to be any kind of "real" database, it can also be your configuration file or a plain text file.

Answer 2

You need a hash of the password and validate using the hashed text. Adding a salt can make your password more secure. In .Net, you can use System.Security.Cryptography.RNGCryptoServiceProvider .

Here is a good article talking about how to store your passwords and I use its way in my web application.

Answer 3

Is relatively easy using ProtectSection() and UnprotectSection() methods from SectionInformation class. See this article:

http://www.davidgiard.com/2012/06/05/EncryptingAndDecryptingApplicationConfigSections.aspx

http://msdn.microsoft.com/en-us/library/system.configuration.sectioninformation.protectsection.aspx

Answer 4

Store a secure hash of the password, it doesn't need to be reversible.

When someone enters a password you hash that by the same algorithm and check it matches the hash.

Because you never store the actual password it's secure.

I recommend using a key stretching algorithm like PBKDF2. .Net has support for this using Rfc2898DeriveBytes or you can use System.Web.Helpers.Crypto.

Answer 5

The standard method for storing a password in a configuration file is to use a strong hash algorithm. Read the answer at How to store passwords in Winforms application? and maybe the wiki article at https://en.wikipedia.org/wiki/Cryptographic_hash_function

Answer 6

You can store a hash of your key and a password somewhere, for example in some local file. When person input key and password, you get hashes for this values and compare it with hashes in your file.