C# - Securely storing a password locally

2019-02-13 16:51发布

问题:

I'm creating a C# application that will lock out functionality (key combinations, windows task bar, etc.) in a Kiosk-style environment. One of the requirements is that some people should still be able to break out of the application using a key combination and a password.

The application itself is completely done, but I have not found a good way to store and check against a password. Everything should be stored locally (there is not check against a network database or whatever). How can I define a password for unlocking my application while also making this flexible (the ability to change the password without recompiling the application). How can I accomplish this in a secure way?

回答1:

The standard method for storing a password in a configuration file is to use a strong hash algorithm. Read the answer at How to store passwords in Winforms application? and maybe the wiki article at https://en.wikipedia.org/wiki/Cryptographic_hash_function



回答2:

Store a secure hash of the password, it doesn't need to be reversible.

When someone enters a password you hash that by the same algorithm and check it matches the hash.

Because you never store the actual password it's secure.

I recommend using a key stretching algorithm like PBKDF2. .Net has support for this using Rfc2898DeriveBytes or you can use System.Web.Helpers.Crypto.



回答3:

You can store a hash of your key and a password somewhere, for example in some local file. When person input key and password, you get hashes for this values and compare it with hashes in your file.



回答4:

I have to disagree with Brian, because as of now the standard method for storing passwords in any database is to "salt" (see Wikipedia for a detailed explanation) the password with a randomly generated value and store the hashed value and the salt in your "database" (see remarks). The salt is not a secret so you can store it in plain text. Whenever the user enters the password you read the salt from your file, apply it to the entered password and then apply your chosen hash algorithm. Then you compare the results with your stored hash. If they match, the user is authenticated. For a good (and entertaining :)) explanation why "just" hashing the password isn't enough, see: How NOT to store passwords! For a tutorial implementation of the salting and hashing process in C# see: C# Salting & Hashing Passwords

You can also find a good way to do this here: https://stackoverflow.com/a/12657970


For a quick reference, the process in pseudocode:

First password storage:

//get user input
username = GetUserName
password = GetPassword

//generate random salt
salt = GetRandomValue

//combine password and salt and apply hash
hashedPassword = Hash(password + salt)

//store hash value and salt in database
AddToDatabase(username, hashedPassword, salt)


User login:

//get user input
username = GetUserName
password = GetPassword

//read salt from database
salt = GetSaltFromDatabase(username)

//combine password and salt and apply hash
hashedPassword = Hash(password + salt)

//compare hash to stored hash value
correctHash = GetHashFromDatabase(username)
if (hashedPassword == correctHash) then
    passwordIsCorrect = True
else
    passwordIsCorrect = False
end if


Remarks:

  • This assumes that your usernames are unique as they are used as identifying key in your "database".
  • The "database" doesn't have to be any kind of "real" database, it can also be your configuration file or a plain text file.


回答5:

You need a hash of the password and validate using the hashed text. Adding a salt can make your password more secure. In .Net, you can use System.Security.Cryptography.RNGCryptoServiceProvider .

Here is a good article talking about how to store your passwords and I use its way in my web application.



回答6:

Is relatively easy using ProtectSection() and UnprotectSection() methods from SectionInformation class. See this article:

http://www.davidgiard.com/2012/06/05/EncryptingAndDecryptingApplicationConfigSections.aspx

http://msdn.microsoft.com/en-us/library/system.configuration.sectioninformation.protectsection.aspx