{"id":4348,"date":"2014-03-30T09:58:47","date_gmt":"2014-03-30T09:58:47","guid":{"rendered":"https:\/\/unknownerror.org\/index.php\/2014\/03\/30\/password-storing-collection-of-common-programming-errors\/"},"modified":"2014-03-30T09:58:47","modified_gmt":"2014-03-30T09:58:47","slug":"password-storing-collection-of-common-programming-errors","status":"publish","type":"post","link":"https:\/\/unknownerror.org\/index.php\/2014\/03\/30\/password-storing-collection-of-common-programming-errors\/","title":{"rendered":"Password storing&#8230;-Collection of common programming errors"},"content":{"rendered":"<ul>\n<li><img decoding=\"async\" src=\"http:\/\/i.msdn.microsoft.com\/dn186180.LOGO_Win1211(id-id,MSDN.10).png\" \/><br \/>\nmsdn I am new to C# (within a month or so).\u00a0 I am making an application that sends an email.\u00a0 It requires the user to enter the smtp server information.\u00a0 Part of this, is the user&#8217;s password.\u00a0 What is the best way to store this given that it is dynamic, user defined, and shouldn&#8217;t be stored in plain text?\u00a0 Security is not a <i>huge<\/i> concern, but some level of encryption would be desireable.\u00a0 I have looked at a number of different topics based around settings and such, but it seems to me that the only settings that have a Protect method are appSettings that can&#8217;t be altered and saved at runtime.\u00a0 I tried this earlier, and was given a permission denied error.\u00a0 I am currently using a Settings file, but I can&#8217;t find a way to protect the password.\u00a0 Help is much appreciated.Thanks,Mike<\/li>\n<li>\n<h3>8 Answers<\/h3>\n<\/li>\n<li><img decoding=\"async\" src=\"http:\/\/i.msdn.microsoft.com\/dn186180.LOGO_Win1211(id-id,MSDN.10).png\" \/><br \/>\nmsdn1 Probably the easiest and most secure way to store\/retrieve a password entered by a user is with the ProtectedData class. You can choose between encrypting the setting at a machine level (so any account can access it) or at a user account level so only a specific user on the machine can access it. It also saves you the problem of managing the encryption keys, which is the weakest link in any encryption scheme, because Windows manages this for you.All you have is a simple API to protect and retrieve data, essentially you give it a byte array of sensitive data, and it then gives you a byte array as a key to that, which you can store anywhere. Then simply use that key to retrieve the sensitive data.You might also want to look at Encoding.Unicode.GetBytes to convert text strings to a byte array, and Convert.ToBase64String\/FromBase64String to convert bytes to non-text strings for easy storage in XML.http:\/\/gregbeech.com\/blogs\/tech<\/li>\n<li><img decoding=\"async\" src=\"http:\/\/i.msdn.microsoft.com\/dn186180.LOGO_Win1211(id-id,MSDN.10).png\" \/><br \/>\nmsdn2 Thanks for the quick response.\u00a0 What, specifically, do you mean by manipulating?\u00a0 Sorry, I&#8217;ve never worked with encryption or anything of the sort.Thanks again,Mike<\/li>\n<li><img decoding=\"async\" src=\"http:\/\/i.msdn.microsoft.com\/dn186180.LOGO_Win1211(id-id,MSDN.10).png\" \/><br \/>\nmsdn3 Hello, Please, could you have a look on this link ?<\/p>\n<p>http:\/\/weblogs.asp.net\/pglavich\/archive\/2005\/08\/12\/422330.aspx<\/p>\n<p>It explains how simply to use securestring , which is a way to treat passwords for exampleI&#8217;m using it in my programs which create Sql Server databases\u00a0 and users with fixed passwords<\/p>\n<p>Have a nice day\u00a0<\/p>\n<p>Please remember to click &#8216;Mark as Answer&#8217; on the post that helped you. Unmark if it provides no help<\/li>\n<li><img decoding=\"async\" src=\"http:\/\/i.msdn.microsoft.com\/dn186180.LOGO_Win1211(id-id,MSDN.10).png\" \/><br \/>\nmsdn4 That doesn&#8217;t really answer the question of storing a password in an XML type document.\u00a0 Also, based on the comments regarding the article, it is somewhat unanimous that the method isn&#8217;t very useful when using c#.\u00a0 I ended up using an encryption algorithm.\u00a0 Given the situation it is being implemented in, I think that is sufficient though.What is the general standard though?\u00a0 In MS Outlook, how are passwords for mail servers stored?\u00a0 Or for any messenger?<\/li>\n<li><img decoding=\"async\" src=\"http:\/\/i.msdn.microsoft.com\/dn186180.LOGO_Win1211(id-id,MSDN.10).png\" \/><br \/>\nmsdn5<\/p>\n<p>What is the general standard though?\u00a0 In MS Outlook, how are passwords for mail servers stored?\u00a0 Or for any messenger?<\/p>\n<p>In the Registry. AES Encryption.AlexB<\/li>\n<li><img decoding=\"async\" src=\"http:\/\/i.msdn.microsoft.com\/dn186180.LOGO_Win1211(id-id,MSDN.10).png\" \/><br \/>\nmsdn6<\/p>\n<p>Is there any benefit to storing an encrypted password in the registry versus storing it in a file?\u00a0 Sorry, I&#8217;m new.<\/p>\n<\/li>\n<li><img decoding=\"async\" src=\"http:\/\/i.msdn.microsoft.com\/dn186180.LOGO_Win1211(id-id,MSDN.10).png\" \/><br \/>\nmsdn7 Probably the easiest and most secure way to store\/retrieve a password entered by a user is with the ProtectedData class. You can choose between encrypting the setting at a machine level (so any account can access it) or at a user account level so only a specific user on the machine can access it. It also saves you the problem of managing the encryption keys, which is the weakest link in any encryption scheme, because Windows manages this for you.All you have is a simple API to protect and retrieve data, essentially you give it a byte array of sensitive data, and it then gives you a byte array as a key to that, which you can store anywhere. Then simply use that key to retrieve the sensitive data.You might also want to look at Encoding.Unicode.GetBytes to convert text strings to a byte array, and Convert.ToBase64String\/FromBase64String to convert bytes to non-text strings for easy storage in XML.http:\/\/gregbeech.com\/blogs\/tech<\/li>\n<li><img decoding=\"async\" src=\"http:\/\/i.msdn.microsoft.com\/dn186180.LOGO_Win1211(id-id,MSDN.10).png\" \/><br \/>\nmsdn8<\/p>\n<p>I just looked briefly at the API for the ProtectedData class.\u00a0 It appears to be just about the most straight forward solution.\u00a0 Thanks.<\/p>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>msdn I am new to C# (within a month or so).\u00a0 I am making an application that sends an email.\u00a0 It requires the user to enter the smtp server information.\u00a0 Part of this, is the user&#8217;s password.\u00a0 What is the best way to store this given that it is dynamic, user defined, and shouldn&#8217;t be [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4348","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/4348","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/comments?post=4348"}],"version-history":[{"count":0,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/4348\/revisions"}],"wp:attachment":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/media?parent=4348"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/categories?post=4348"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/tags?post=4348"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}