User Login and Password

[VIH]

I am writing an application and I want to add User login and password screen before opening the application.

Where it's better to save the users and passwords (encrypt
passwords) data in Database or configuration file ?

Does anyone have implemention of User login screen in C-sharp?



Thanks in advance ...

[Andy Tacker]

my way is to use Database.
I use encryption to store Passwords in db.
Read login name and get the encrypted password from DB, then decrypt the password and compare the entered password.
works well for applications which are client based as well as web based.

[torrud]

I use the same way like Andy Tacker. But one difference I have. I also store my passwords encrypted in database and after reading the entered password I crypt that and compare it with the password from DB. In my opinion this is very important, because if you decrypt the password from DB for comparing, an attacker can enter a fake password and make a memorydump and will get the correct password. So if you compare encrypted passwords he won't get an important information.

[Anders Jansson]

What do you use for encrypt and decrypt?

The System.Security.Cryptography?

Some start help on this subject would really be appretiated.

/Anders

[Andy Tacker]

you can refer to this file for some information...

[T_M_P]

you can refer to this file for some information...

I tried to use this Class but I have a logical problem:

the password in the DB should be stored in clear? I think not, but how can I store it encrypted?

Thanks for your help

[boudino]

Generaly: never store password itself, neither clear nor encrypted. Store only its hash value computed by a strong alghoritm. In login process, just compare hash of typed in password with stored hash.