Password storing…-Collection of common programming errors

12 years ago
admin
4 minutes

  • msdn I am new to C# (within a month or so).  I am making an application that sends an email.  It requires the user to enter the smtp server information.  Part of this, is the user’s password.  What is the best way to store this given that it is dynamic, user defined, and shouldn’t be stored in plain text?  Security is not a huge concern, but some level of encryption would be desireable.  I have looked at a number of different topics based around settings and such, but it seems to me that the only settings that have a Protect method are appSettings that can’t be altered and saved at runtime.  I tried this earlier, and was given a permission denied error.  I am currently using a Settings file, but I can’t find a way to protect the password.  Help is much appreciated.Thanks,Mike

  • 8 Answers


  • msdn1 Probably the easiest and most secure way to store/retrieve a password entered by a user is with the ProtectedData class. You can choose between encrypting the setting at a machine level (so any account can access it) or at a user account level so only a specific user on the machine can access it. It also saves you the problem of managing the encryption keys, which is the weakest link in any encryption scheme, because Windows manages this for you.All you have is a simple API to protect and retrieve data, essentially you give it a byte array of sensitive data, and it then gives you a byte array as a key to that, which you can store anywhere. Then simply use that key to retrieve the sensitive data.You might also want to look at Encoding.Unicode.GetBytes to convert text strings to a byte array, and Convert.ToBase64String/FromBase64String to convert bytes to non-text strings for easy storage in XML.http://gregbeech.com/blogs/tech

  • msdn2 Thanks for the quick response.  What, specifically, do you mean by manipulating?  Sorry, I’ve never worked with encryption or anything of the sort.Thanks again,Mike

  • msdn3 Hello, Please, could you have a look on this link ?

    http://weblogs.asp.net/pglavich/archive/2005/08/12/422330.aspx

    It explains how simply to use securestring , which is a way to treat passwords for exampleI’m using it in my programs which create Sql Server databases  and users with fixed passwords

    Have a nice day 

    Please remember to click ‘Mark as Answer’ on the post that helped you. Unmark if it provides no help


  • msdn4 That doesn’t really answer the question of storing a password in an XML type document.  Also, based on the comments regarding the article, it is somewhat unanimous that the method isn’t very useful when using c#.  I ended up using an encryption algorithm.  Given the situation it is being implemented in, I think that is sufficient though.What is the general standard though?  In MS Outlook, how are passwords for mail servers stored?  Or for any messenger?

  • msdn5

    What is the general standard though?  In MS Outlook, how are passwords for mail servers stored?  Or for any messenger?

    In the Registry. AES Encryption.AlexB


  • msdn6

    Is there any benefit to storing an encrypted password in the registry versus storing it in a file?  Sorry, I’m new.


  • msdn7 Probably the easiest and most secure way to store/retrieve a password entered by a user is with the ProtectedData class. You can choose between encrypting the setting at a machine level (so any account can access it) or at a user account level so only a specific user on the machine can access it. It also saves you the problem of managing the encryption keys, which is the weakest link in any encryption scheme, because Windows manages this for you.All you have is a simple API to protect and retrieve data, essentially you give it a byte array of sensitive data, and it then gives you a byte array as a key to that, which you can store anywhere. Then simply use that key to retrieve the sensitive data.You might also want to look at Encoding.Unicode.GetBytes to convert text strings to a byte array, and Convert.ToBase64String/FromBase64String to convert bytes to non-text strings for easy storage in XML.http://gregbeech.com/blogs/tech

  • msdn8

    I just looked briefly at the API for the ProtectedData class.  It appears to be just about the most straight forward solution.  Thanks.