Need some way to save login information

Printable View

Sep 25th, 2000, 01:15 PM

I'm developing a DB application that is accessing an ODBC database. As it is now a user has to pull up a little connection form and enter the DSN and login info. This is fine, but I NEED to have this information stored, as the ODBC info is not going to change on aregular basis (if at all).

I was thinking about storing the DSN/userid/password information in a text file, and then performing XOR encryption on the text file (it's fairly simple and it'll keep the information semi-secure). I guess I'm wondering if this is the best way?

If so, how do I do the text manipulation? The couple books I have seem to gloss over this point. I can find out easily enough how to READ from a text file, but I need to know how to input these 3 pieces of info back into a text file, overwriting the information that is allready there.

If you are going to suggest storing this info in the registry, don't. I work in a high-security institution, so the NT security policys are incredibly anal (yes.. nobody but administrators can modify the registry in any way).
Sep 25th, 2000, 02:12 PM
PaulLewis

I'd be interested in this too

Although I've implemented my own now, I am interested in seeing what suggestions crop up.

As for your idea of storing DSN/userid/password in a text file, even with encryption, I doubt it will be as secure as making the user remember a password. If you are saying that you have single login for multiple users in this app/DB and yet you say you are in a high-security institution, then I guess I am somewhat dumbfounded.

Assuming then that I read you wrong, you could use the user's userid/password to act as an encryption key for the rest of the data. If the DSN is secret and shouldn't be passed out to anyone in your institution (again, quite strange to me unless you expect internal hackers I suppose) then the DSN can be encrypted.

Personally, my suggestions are:
1) individual login for DB access (your administrators can't argue with that surely!)
2) Store the DSN in an ini file - no need to encrypt it
3) Store the last userid in the ini file too if you like
4) In the login screen, populate a combo with the list of DSN's to choose from, make the user type their name or populate it from the last userid info from the ini file, then make the user type their password.

This means that the DB will control the access rights of the user, and you don't need to worry about a weak encryption system in your app.

But if your heart is set on encrypting something, usually you will want an encryption key that is not hard coded so as to avoid the possibility of someone cracking their own encrypted login info, then using that key to crack everyone elses.

Post or email me if you want more info, otherwise I hope you get the answers you were looking for from our fellow programmers :)

Cheers
Sep 25th, 2000, 02:38 PM

I think I was not 100% clear

The encryption of login info is only applicable to the actual ODBC login. Now I do NOT expect there to be a serious problem from internal hackers. I only suggested the encryption as a way to make sure that the odbc login was not EASILY visible. To make it a bit clearer, there are 2 logins that occurr. The first ODBC login, and then asecond user specific login. (I am only finishing what someone else started... yes.. I know this is a dumb way to do it).

I guess My MAIN question was regarding how specifically I manipulate a text file to store the last used ODBC info. the reference boks I have seem to gloss over the area of actually using a text (or INI) file to store the data. Encryption really is optional. Adding it would basically insure that it took a deliberate attempt to access the ODBC info by someone internally. The network is in no manner shape or form connected to the internet, so outside tampering is a non-issue).
Sep 25th, 2000, 03:30 PM
PaulLewis

Gotcha

Well I'm relatively new to Vb having only really messed with VB6 and ADO. So all I am familiar with is the ADO style connection string in which all relevant login details are able to be stored.

So to get that out to a file, (ini files are easy because the API gives you this for free). This is assuming you can reduce the required ODBC stuff into strings.

Code:

#If Win32 Then ' Profile String functions: Private Declare Function WritePrivateProfileString Lib "kernel32" Alias "WritePrivateProfileStringA" (ByVal lpApplicationName As String, ByVal lpKeyName As Any, ByVal lpString As Any, ByVal lpFileName As String) As Long Private Declare Function GetPrivateProfileString Lib "kernel32" Alias "GetPrivateProfileStringA" (ByVal lpApplicationName As Any, ByVal lpKeyName As Any, ByVal lpDefault As Any, ByVal lpReturnedString As String, ByVal nSize As Long, ByVal lpFileName As String) As Long #Else ' Profile String functions: Private Declare Function WritePrivateProfileString Lib "Kernel" (ByVal lpApplicationName As String, ByVal lpKeyName As Any, ByVal lpString As Any, ByVal lpFileName As String) As Integer Private Declare Function GetPrivateProfileString Lib "Kernel" (ByVal lpApplicationName As String, ByVal lpKeyName As Any, ByVal lpDefault As Any, ByVal lpReturnedString As String, ByVal nSize As Integer, ByVal lpFileName As String) As Integer #End If

Better still, check out this type library:
http://vbaccelerator.com/codelib/inireg/inifile.htm
It makes ini file reading/writing absolutely fool proof :)

Regards