#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2009
    Posts
    77
    Rep Power
    6

    Program Password Creation


    Hi, I've made a program I would like to restrict access to by prompting the user to register a username and password during startup. Now I have setup a system where the entered username and password are saved into a text file in the program folder however this is inefficient as the user can just look in the program folder and UAC issues occur in writing files to the program files folder.

    Im looking for an alternative I can use such as writing the username and password in the registry or something. Any suggestions?
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2012
    Posts
    151
    Rep Power
    3
    Originally Posted by chisoko_n
    Hi, I've made a program I would like to restrict access to by prompting the user to register a username and password during startup. Now I have setup a system where the entered username and password are saved into a text file in the program folder however this is inefficient as the user can just look in the program folder and UAC issues occur in writing files to the program files folder.

    Im looking for an alternative I can use such as writing the username and password in the registry or something. Any suggestions?
    You should never store plain password. Store only digested or hashed version of it. And use salt when digesting or hashing to improve the strength. Look for SHA-512 or MD6 for hash method currently strong enough.

    I wrote an article about using special folders under UAC. I think you should read it.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2009
    Posts
    77
    Rep Power
    6
    Originally Posted by Luthfi
    You should never store plain password. Store only digested or hashed version of it. And use salt when digesting or hashing to improve the strength. Look for SHA-512 or MD6 for hash method currently strong enough.

    I wrote an article about using special folders under UAC. I think you should read it.
    I looked up SHA-512 and I came across this link: http://www.example-code.com/delphi/crypt_hash_algorithms.asp

    I did however had to install ChilkatCrypt..available from: http://www.example-code.com/delphi/sig_create_p7s_4.asp

    It didnt have MD6 however I used SHA-512...now that I have encrypted the string, I then use your article on ideal storage locations to save my file with the hashes right?. What do you recommend I save the file as because I was thinking a file (textfile) which I can easily check for existance rather than registry
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2012
    Posts
    151
    Rep Power
    3
    Originally Posted by chisoko_n
    I looked up SHA-512 and I came across this link: http://www.example-code.com/delphi/crypt_hash_algorithms.asp

    I did however had to install ChilkatCrypt..available from: http://www.example-code.com/delphi/sig_create_p7s_4.asp

    It didnt have MD6 however I used SHA-512...now that I have encrypted the string, I then use your article on ideal storage locations to save my file with the hashes right?. What do you recommend I save the file as because I was thinking a file (textfile) which I can easily check for existance rather than registry
    Both MD6 and SHA-512 hashed data to 512 bit. Quite strong for dictionary attack. At least for now and some time in the future. Although actually you don't have to be too paranoid if your application does not have to protect very sensitive information.

    About the storage location, it really depends on the nature of your application. Please study carefully the differences between "All users" and "current user", also the roaming and non-roaming.

IMN logo majestic logo threadwatch logo seochat tools logo