Re: Secure password storing

From: Elp (rockfamily_at_REMOVEME.hotmail.com)
Date: 06/05/04 

Date: Sat, 5 Jun 2004 18:46:08 +0100

"Gordon Knote" <anonymous@discussions.microsoft.com> wrote in message
news:0CCEBAB6-847D-4B7E-ADD4-4E27B333C922@microsoft.com...
> Hi,
>
> thanks for your answer. The reason why I can't store a hash is that the
password is stored only for the user's comfort so that he doesn't have to
enter it again and again. Unfortunately, the server the client talks to just
wants the password in plaintext, not hashed...so there's no choice for me.
> Sure, encrypting is quite a good idea, but with which key? How does
Microsoft solve the problem (e.g. in the internet explorer, or passport...)?

Well, don't you have any way to modify the Server application? :-)

If not, then you're facing a big problem here. You can for sure encrpyt it
with a symetric key, there are loads of free libraries out there that will
do that for you. However, the problem remains the same, where and how would
you store the key? I believe (i hope at least) that IE or the Microsoft
passport system are only storing hash of the passwords.

You can always go the easy way by using symetric encryption and do some
dirty things such as derivating the key from the processor serial number or
hardcoding it in your obfuscated code but all that will not discourage
anybody who really want to break your system. This is not in any way
something called security.

Sorry not to provide THE answer but i can suggest you to have a look at the
archives of this newsgroup: microsoft.public.dotnet.security or even post
your question there. You'll have maybe more usefull advices than here.

Relevant Pages

  • Re: bad code, needs work...
    ... > The problem I am getting is checking to see if one field matches the city, ... The outfile opens can be handled in a loop that will at least prevent ... then store that scalar into a hash, which would be a convenient way to ... Again if you store the output handles to a hash, ...
    (perl.beginners)
  • Re: Best practices for storing/retrieving login credentials
    ... you must make sure that incoming callers are allowed to make FTP ... I think - Roy is interested in is how to protect the common FTP credentials. ... You cannot hash the FTP password, because the application needs to provide ... > then have to consider how to store the encryption key. ...
    (microsoft.public.dotnet.security)
  • Re: (OT) lincense protection generator
    ... Jarek Zgoda wrote: ... It could be a long string and then take a hash from it and store the hash value. ... generate sha1 sum of general machine configuration and store it on random internet node. ... These people are, to put it mildly, not the most computer savant people around. ...
    (comp.lang.python)
  • Re: Parsing Large Files
    ... This gives me the hash %id which is keyed by ... Since you want to have the Y and X, store ... It is easier to sort in memory than ... to sort files from perl. ...
    (comp.lang.perl.misc)
  • Re: Is it necessary to store the entire MD5, etc. hash for validation?
    ... >I want to store the last 10 passwords used on a legacy database that, ... but I don't have room to store 10x128+ bytes. ... I think you are mistaken about the size of the output of hash functions, ... passphrase hashes if you use SHA-256, ...
    (sci.crypt)