I am working on the security issue in .net application and I have been reported that My code is vulnerable and I see the issue is the way I store the password
For example:
<add key="RegxxxChannelPassword" value="test"/>
<add key="xxxRegistrationConnStr" value="xxxxxxxxxx;
So my tool was showing that storing the password in plain text is dangerous .
So can I encrpt the password and save it?
Can some one please suggest me if there are any algorithms?
It'd be much more simple to use a membership provider. If you're doing the encryption on your own you're reinventing the wheel and disregarding what the framework could do for you.
I suggest you go read about it.
The relevant property of the provider, in this case, is passwordFormat.
Edit: for a moment there I thought you were talking about user passwords. If it's a password for a connection string, it should be in a .config file, like web.config. If you have it in the proper place, VS won't complain about it being unencrypted, since it's content that will never get served to a client anyway.
You can encrypt sections of the web.config using aspnet_regiis, but the web.config is a pretty standard place to store passwords and such, as long as the website is deployed to a server that you own. You could also put the values in the registry, but in most cases, that's unnecessary. Here's an article on encrypting web.config sections:
http://msdn.microsoft.com/en-us/library/zhhddkxy%28v=vs.100%29.aspx
If you go that route, you'll run the command to encrypt the web.config as a deployment step, and the application will handle decrypting and using the values on its own.
I'd recommend that you have a look that Rijndael for two-way encryption, if you want to store your password in Web.config:
http://msdn.microsoft.com/en-us/library/system.security.cryptography.rijndael.aspx
I agree with #Renan, the proper way to go, is to use MembershipProvider.
Related
I have been requested from my partner to use his API, and to use this API, I should encrypt all sent data to AES 256. He shared a .jks file with me, in addition to some parameters with values like (Alias, KEYSTORE_PASSWORD and KEY_PASSWORD), then he told me that the password which I should use for encryption is stored in that JKS file, and to open it, I should use the pre-shared parameters.
So, how can I reach that?
UPDATE ...
This is not a web service am trying to invoke, I just need to get the Password which is stored in the JKS file, so, I am not going to invoke an API or import a certificate into my client app. So, it doesn't matter if opening the app by C# or any other tool, i just need to get the password in order to use it later in encrypting some data.
I opened the given file by using KeyStore Explorer, then I imported the file into the app and providing it with all shared info like KeyStore_Password and Key_Password. Eventually, it opens.
I know that is away off C#, but all what I needed is to get the Password which is stored in that file, and this was my first time to deal with something like that.
But you cannot access "TrustedCertEntry". It is a restriction.
See: https://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#InstallProbs
Problem
I am creating a set of automated tests that require a username and password to be given to log on to the application to be tested. I have a function LogOnToApplication(string username, string password) that takes the log on info as strings, and logs on to the application. Currently, I am defining two strings as such:
string username = "username";
string password = "supersecretpassword";
And passing to my function with
utilities.LogOnToApplication(username, password);
This works just fine for the purpose of my tests, but I know that doing this in this manner is risky and insecure. These tests are widely distributed, and setting my tests up this way could easily lead to a security breach.
Question
What is the best method to remove the username and password strings from my code? I have thought about creating a separate file to store this info in, and pulling from the file when the information is needed, but this really does not solve the problem, it just relocates the sensitive information.
You could put them in the App.Config file under AppSettings and get them with ConfigurationManager
Settings code:
<appSettings>
<add key="username" value="lol" />
<add key="password" value="hunter2" />
</appSettings>
and to access them
var username = ConfigurationManager.AppSetting["username"];
var password = ConfigurationManager.AppSetting["password"];
As I wrote in the comments, I don't think the exact thing you want to do is possible. in some point your program will need to run the line utilities.LogOnToApplication(username, password); where username and password are plain strings. If the program is running on my computer I can connect a debugger and get the data. There are ways to make it harder, but this battle is fought between hackers and games developers, and the loser is the side you are trying to join.
The safest thing will be to rethink about the testing - do you really need them "widely distributed"? if no, don't.
There are some ways to make it harder to get the u/p, it all depends on how much effort you are willing to put into this.
I'm currently working on a Windows Application Project and I have two problems in securing data.
First,I need to make a file that store a password as string which the user should enter it every time the main form loads, I tried many ways but each one has a problem:
Hashing the string and save it in a file, so every time user enter the password the input password will be hashed and compared with the hashed string
Problem: Decompiling the application let anyone see the hashing method and file location, so he/she can create text file with hashed value of any string like 0000 and replace that file with my application file, then use the 0000 to open the application
Using encryption algorithm with custom encryption key
Problem: key can be accessed after Decompiling the application
The other problem is for connection string of an online MySql Database that used in the application but I do not want any user see the connection string:
Encrypting the connection string with DataProtectionConfigurationProvider
Problem: other machines can't decrypt and use the string
Encrypt and save the connection string in a file and decrypt and use that file when application load
Problem: Decryption method can be known from source code after Decompiling
Is there anyway I can use except Obfuscating the source code?
I mean like storing these sensitive data in a file that can be read/written by my application only?
Feel free to write any advice about my problems and Thanks in advance
Try to save your files with hashed passwords in the web with read-only permissions. Or use dll written using unmaneged code (c++)
Whilst pair programming with database systems, sometimes we end up temporarily hardcoding credentials (typically of our own accounts), which leads to slight awkwardness with the partner trying to look away whenever the password is onscreen. Is there any simple way of using basic obfuscation (ie, rot13) to hardcode a password without other developers taking a quick look and seeing my password?
It doesn't need to be secure. It only needs to grease the social aspect. I don't want anything complex involving super secure encryption or reading passwords out of files etc. This has to be quick to implement (i.e. 10 seconds max) whilst coding on the fly. Ideally I want something like:
string password = string.rot13("zlcnffjbeq");
Does anything like this already exist?
To configure SQL Server for Windows integrated security
From the Windows Start menu, select Microsoft SQL Server, and then select Enterprise Manager.
Open the node for the server and expand the node for the database you want to give users permissions for.
Right-click the Users node and select New Database User.
In the Database User Properties dialog box, enter domain\username in the Login name box, and then click OK. Additionally, configure the SQL Server to allow all domain users to access the database.
From MSDN. Connection strings become Server=x;Initial Catalog=y;Integrated Security=true instead of Server=x;Initial Catalog=y;User=you;Pwd=yourpassword.
I would suggest to store your password in a config file. For source control, use a dummy one. Then after getting latest version of the config file on your PC, you can modify the config by adding your password.
You could use base64 and just keep the base64 version of your password somewhere handy for cut and paste, bearing in mind that your system admin will have a blue fit if they find out about this. Both the suggestions in comments (#Oli/#CodeCaster) are preferable to this, imo.
DPAPI is more work but arguably a balanced solution to your requirement, with some security.
The .NET Framework provides access to the data protection API (DPAPI),
which allows you to encrypt data using information from the current
user account or computer. When you use the DPAPI, you alleviate the
difficult problem of explicitly generating and storing a cryptographic
key.
Maybe you can store your password in a String variable like here
/* Variable that stores the password */ string pwd = "12345";
string password = string.rot13(pwd);
and tab it out of the visual range of the editor. This would be a proper solution to your problem.
Then you can use the string variable somewhere else in your code and no one can see your password unless he scrolls to the right
I am using Application settings in my c# project to save gmail username and password. Before saving the settings I am encrypting the plain text password. When I am restarting the app retrieving them is of course without any problem but the retrieved password is encrypted. What I want is to decrypt it back before binding back to the textbox
The code generated by the designer is something like the follows:
this.tb_Gmail_Password.DataBindings.Add(new System.Windows.Forms.Binding("Text", global::MyApp.Properties.Settings.Default, "GmailPassword", true, System.Windows.Forms.DataSourceUpdateMode.OnPropertyChanged));
I don’t know if I am able to put my question properly. Plz feel free to kick me if I sound like speaking alien language. I will give more description as per your suggestion…
Regards,
N10i.
--edit--
while saving the configuration i am using a custom function to encrypt the password i.e.
Properties.Settings.Default.GmailPassword = MyApp.EncPass(tb_Gmail_Password.Text);
can i use something similar like
this.tb_Gmail_Password.DataBindings.Add(new System.Windows.Forms.Binding("Text", global::MyApp.Properties.Settings.Default, MyApp.DecPass("GmailPassword"), true, System.Windows.Forms.DataSourceUpdateMode.OnPropertyChanged));
i.e.
MyApp.DecPass("GmailPassword")
You encrypt the configuration using DPAPI DpapiProtectedConfigurationProvider, and you decrypt it using the same at application start up, see Encrypting Configuration Information Using Protected Configuration.