How to securely save username/password (local)?

by

If you are just going to verify/validate the entered user name and password, use the Rfc2898DerivedBytes class (also known as Password Based Key Derivation Function 2 or PBKDF2). This is more secure than using encryption like Triple DES or AES because there is no practical way to go from the result of RFC2898DerivedBytes back to the password. You can only go from a password to the result. See Is it ok to use SHA1 hash of password as a salt when deriving encryption key and IV from password string? for an example and discussion for .Net or String encrypt / decrypt with password c# Metro Style for WinRT/Metro.

If you are storing the password for reuse, such as supplying it to a third party, use the Windows Data Protection API (DPAPI). This uses operating system generated and protected keys and the Triple DES encryption algorithm to encrypt and decrypt information. This means your application does not have to worry about generating and protecting the encryption keys, a major concern when using cryptography.

In C#, use the System.Security.Cryptography.ProtectedData class. For example, to encrypt a piece of data, use ProtectedData.Protect():

// Data to protect. Convert a string to a byte[] using Encoding.UTF8.GetBytes().
byte[] plaintext; 

// Generate additional entropy (will be used as the Initialization vector)
byte[] entropy = new byte[20];
using(RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider())
{
    rng.GetBytes(entropy);
}

byte[] ciphertext = ProtectedData.Protect(plaintext, entropy,
    DataProtectionScope.CurrentUser);

Store the entropy and ciphertext securely, such as in a file or registry key with permissions set so only the current user can read it. To get access to the original data, use ProtectedData.Unprotect():

byte[] plaintext= ProtectedData.Unprotect(ciphertext, entropy,
    DataProtectionScope.CurrentUser);

Note that there are additional security considerations. For example, avoid storing secrets like passwords as a string. Strings are immutable, being they cannot be notified in memory so someone looking at the application’s memory or a memory dump may see the password. Use SecureString or a byte[] instead and remember to dispose or zero them as soon as the password is no longer needed.

More Related Contents:

  1. What are good ways to prevent SQL injection? [duplicate]
  2. How to hash a password
  3. JWT authentication for ASP.NET Web API
  4. Why is JsonRequestBehavior needed?
  5. ASP.NET Identity’s default Password Hasher – How does it work and is it secure?
  6. Requested registry access is not allowed
  7. Is SecureString ever practical in a C# application?
  8. How can I make my product as a trial version for 30 days?
  9. How can I obfuscate my c# code, so it can’t be deobfuscated so easily? [closed]
  10. MD5 hash with salt for keeping password in DB in C#
  11. In .NET/C# test if process has administrative privileges
  12. How to validate domain credentials?
  13. Storing credit card details
  14. Does using parameterized SqlCommand make my program immune to SQL injection?
  15. How to use a client certificate to authenticate and authorize in a Web API
  16. Encrypting credentials in a WPF application
  17. Securing a password in source code?
  18. How do I get the currently loggedin Windows account from an ASP.NET page?
  19. Child actions are not allowed to perform redirect actions, after setting the site on HTTPS [duplicate]
  20. Calculating HMACSHA256 using c# to match payment provider example
  21. How to convert SecureString to System.String?
  22. In .NET 4.0, how do I ‘sandbox’ an in-memory assembly and execute a method?
  23. How to access the stored credentials (PasswordVault?) on Win7 and Win8?
  24. Access files from network share in c# web app
  25. Compare password hashes between C# and ColdFusion (CFMX_COMPAT)
  26. C#.NET: Acquire administrator rights?
  27. Store sensitive information inside keepass database from c#
  28. RSA read PublicKey
  29. Block requests after multiple unsuccessful logins
  30. difference between http.context.user and thread.currentprincipal and when to use them?

Leave a Comment