Results 1 to 9 of 9

Thread: Creating secure user login for application that will be open source

  1. #1

    Thread Starter
    Lively Member
    Join Date
    Dec 2012
    Posts
    70

    Creating secure user login for application that will be open source

    Hello,

    An application I am working on requires a user account system that can store a variety of information specific to a user (obviously username, password as well as images and other text).

    I want to encrypt/hash the password, but how do I go about this when I am publicly releasing the source code and anyone could view how the passwords are hashed and salted?

    Thanks

  2. #2
    .NUT jmcilhinney's Avatar
    Join Date
    May 2005
    Location
    Sydney, Australia
    Posts
    105,187

    Re: Creating secure user login for application that will be open source

    It doesn't matter that everyone can see how the passwords are hashed. Hashing is a one-way process so knowing how a hash was produced from a password still doesn't help you retrieve a password from a hash. The one thing it will do is let you settle on a single hashing method for a brute-force attack. As for the salt, you should generate a random salt value for each user and store it in the database with the password hash. Noone developing for the application will then know the salt for any particular user.

  3. #3

    Thread Starter
    Lively Member
    Join Date
    Dec 2012
    Posts
    70

    Re: Creating secure user login for application that will be open source

    I had thought of randomly generating a salt, but your idea of generating it for each user sounds even better than mine. Thank you!

  4. #4
    .NUT jmcilhinney's Avatar
    Join Date
    May 2005
    Location
    Sydney, Australia
    Posts
    105,187

    Re: Creating secure user login for application that will be open source

    Generating a unique salt for each user just means an extra step in the login process, i.e. you must retrieve the salt for the user name first.

  5. #5

    Thread Starter
    Lively Member
    Join Date
    Dec 2012
    Posts
    70

    Re: Creating secure user login for application that will be open source

    Also, how would I prevent any other applications from accessing the database? I intend on using a sqlite database. What is to stop anyone else from writing an application that adds their own user to the database? Even if I could password protect the database, anyone viewing the source could view the password. Does that make sense? Sorry, I am relatively new to working with databases.
    Last edited by theryan722; Jan 23rd, 2016 at 11:34 PM. Reason: wrong database type

  6. #6
    Frenzied Member jdc20181's Avatar
    Join Date
    Oct 2015
    Location
    Indiana
    Posts
    1,157

    Re: Creating secure user login for application that will be open source

    Simply don't use a database.
    If the user accounts will be local computer based meaning it isn't tied to a website or online parts of sorts then just don't use one.
    You can use application settings and Textfiles instead.
    Plus if I am correct the database would be local, unless again you are hosting it with online services.
    I have several open-Source based projects, I am the only one who maintains them and with limited internet I don't always get all the source code out but, the way I save the username and passcode data, the textfile that stores the data is executed into the program, so it isn't seperate.
    I am personally working to get hashing but, don't understand it enough.


    Okay here is my code, you will need to make two settings. And will need two textfiles.

    Code:
     For Each user As String In File.ReadLines(My.Application.Info.DirectoryPath & "\" & My.Settings.User)
                        For Each passw As String In File.ReadLines(My.Application.Info.DirectoryPath & "\" & My.Settings.Pass)
    
                            If ToolStripTextBox1.Text = username And ToolStripTextBox2.Text = password Then
                           Form1.close ( )
    Form2.show
                           
                            Else
                               msgbox("wrong login")
    
                            End If
                        Next
                    Next
    That is very modified because the way I have the project set up for users and admins.

    But the idea is to check and see if it contains the set password and usernames.
    No it won't log in if the password is on line 2 of the password file and username is on line 32 of the username file they must both be on the same line.
    To create new users you can use a listbox then save the new entries into the text files using write all lines.

    Another idea I am throwing in my head not sure if it will work is to create a new database and randomize the key. (so like the user would get some random database name and password generated and stored from view)
    OR
    You can not put potiential security threatening parts of code to the public
    Yes you can keep it open source but not show parts that put other peoples data and info in threat of hackers

    Depending how you release the source code you can also put a dummy password and login. As the database really isn't open soruce as it stores private information.

  7. #7
    .NUT jmcilhinney's Avatar
    Join Date
    May 2005
    Location
    Sydney, Australia
    Posts
    105,187

    Re: Creating secure user login for application that will be open source

    Quote Originally Posted by theryan722 View Post
    I intend on using a sqlite database.
    I've never actually used SQLite myself but, if I was going to, I'd search the web for information on SQLite security. Have you done that?
    Quote Originally Posted by theryan722 View Post
    Even if I could password protect the database, anyone viewing the source could view the password.
    I'd suggest that a server-based database like SQL Server is likely to be more secure than a file-based system like SQLite. Either way, you can store credentials in the config file and encrypt them.

  8. #8
    .NUT jmcilhinney's Avatar
    Join Date
    May 2005
    Location
    Sydney, Australia
    Posts
    105,187

    Re: Creating secure user login for application that will be open source

    Quote Originally Posted by jdc20181 View Post
    Simply don't use a database.
    ...
    You can use application settings and Textfiles instead.
    Really? Because XML config files and text files offer better security than a database? I think not.

  9. #9

    Thread Starter
    Lively Member
    Join Date
    Dec 2012
    Posts
    70

    Re: Creating secure user login for application that will be open source

    Yes, I am using Bcrypt.Net to securely hash passwords. I have also been reading up on best practices for security.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width