[RESOLVED] Help needed about storing password securely

[nikel]

Hello, I have a WebBrowser on my form and I want to store the user password which is entered in a textbox for logging in a site. I've searched the net a lot. I found some things about hashing and encrypting however I couldn't make any of them work.

visual basic store password securely -database

This search phrase didn't give me results I needed. Please help me.

I also want to know if it's right thing to store some settings like usernames or passwords in an xml or text file.

[Bulldog]

It depends on what level of security you want. Any secure data is vulnerable and if you want to protect sensitive data, I wouldn't store passwords at all. Personally I'd use a hash. Hash the password, store it. When the user enters a password, hash it and compare against the stored version. This however has vulnerability too, simply because the user will type their password and how do you know there isn't a key logger in place?

For low or zero risk sites, like a forum for example, where there is no 'loss', a hash is your best option. For medium to high risk sites, I wouldn't code it at all, it'd be safer to use a commercial app like LastPass which has high grade protection in place.

[nikel]

Thank you for your reply. I tried this as shown on https://msdn.microsoft.com/tr-tr/library/ms172831.aspx

Code:

Imports System.Security.Cryptography

Public NotInheritable Class TestClass

    Private TripleDes As New TripleDESCryptoServiceProvider

    Private Function TruncateHash(
    ByVal key As String,
    ByVal length As Integer) As Byte()

        Dim sha1 As New SHA1CryptoServiceProvider

        ' Hash the key.
        Dim keyBytes() As Byte =
            System.Text.Encoding.Unicode.GetBytes(key)
        Dim hash() As Byte = sha1.ComputeHash(keyBytes)

        ' Truncate or pad the hash.
        ReDim Preserve hash(length - 1)
        Return hash
    End Function

    Sub New(ByVal key As String)
        ' Initialize the crypto provider.
        TripleDes.Key = TruncateHash(key, TripleDes.KeySize \ 8)
        TripleDes.IV = TruncateHash("", TripleDes.BlockSize \ 8)
    End Sub

    Public Function EncryptData(
    ByVal plaintext As String) As String

        ' Convert the plaintext string to a byte array.
        Dim plaintextBytes() As Byte =
            System.Text.Encoding.Unicode.GetBytes(plaintext)

        ' Create the stream.
        Dim ms As New System.IO.MemoryStream
        ' Create the encoder to write to the stream.
        Dim encStream As New CryptoStream(ms,
            TripleDes.CreateEncryptor(),
            System.Security.Cryptography.CryptoStreamMode.Write)

        ' Use the crypto stream to write the byte array to the stream.
        encStream.Write(plaintextBytes, 0, plaintextBytes.Length)
        encStream.FlushFinalBlock()

        ' Convert the encrypted stream to a printable string.
        Return Convert.ToBase64String(ms.ToArray)
    End Function

    Public Function DecryptData(
    ByVal encryptedtext As String) As String

        ' Convert the encrypted text string to a byte array.
        Dim encryptedBytes() As Byte = Convert.FromBase64String(encryptedtext)

        ' Create the stream.
        Dim ms As New System.IO.MemoryStream
        ' Create the decoder to write to the stream.
        Dim decStream As New CryptoStream(ms,
            TripleDes.CreateDecryptor(),
            System.Security.Cryptography.CryptoStreamMode.Write)

        ' Use the crypto stream to write the byte array to the stream.
        decStream.Write(encryptedBytes, 0, encryptedBytes.Length)
        decStream.FlushFinalBlock()

        ' Convert the plaintext stream to a string.
        Return System.Text.Encoding.Unicode.GetString(ms.ToArray)
    End Function

    Sub TestEncoding()
        Dim plainText As String = InputBox("Enter the plain text:")
        Dim password As String = InputBox("Enter the password:")

        Dim wrapper As New TestClass(password)
        Dim cipherText As String = wrapper.EncryptData(plainText)

        MsgBox("The cipher text is: " & cipherText)
        My.Computer.FileSystem.WriteAllText(
            My.Computer.FileSystem.SpecialDirectories.MyDocuments &
            "\cipherText.txt", cipherText, False)
    End Sub

    Sub TestDecoding()
        Dim cipherText As String = My.Computer.FileSystem.ReadAllText(
            My.Computer.FileSystem.SpecialDirectories.MyDocuments &
                "\cipherText.txt")
        Dim password As String = InputBox("Enter the password:")
        Dim wrapper As New TestClass(password)

        ' DecryptData throws if the wrong password is used.
        Try
            Dim plainText As String = wrapper.DecryptData(cipherText)
            MsgBox("The plain text is: " & plainText)
        Catch ex As System.Security.Cryptography.CryptographicException
            MsgBox("The data could not be decrypted with the password.")
        End Try
    End Sub

End Class

But I'm getting error:
Error 3 Reference to a non-shared member requires an object reference. ... \Form1.vb

[Toph]

I edited that microsoft class to be more useable.

Here's the class file.

Code:

Imports System.Security.Cryptography

Public NotInheritable Class Simple3Des
    Private TripleDes As New TripleDESCryptoServiceProvider

    Private Function TruncateHash(ByVal key As String, ByVal length As Integer) As Byte()

        Dim sha1 As New SHA1CryptoServiceProvider

        ' Hash the key.
        Dim keyBytes() As Byte =
            System.Text.Encoding.Unicode.GetBytes(key)
        Dim hash() As Byte = sha1.ComputeHash(keyBytes)

        ' Truncate or pad the hash.
        ReDim Preserve hash(length - 1)
        Return hash
    End Function

    Sub New(ByVal key As String)
        ' Initialize the crypto provider.
        TripleDes.Key = TruncateHash(key, TripleDes.KeySize \ 8)
        TripleDes.IV = TruncateHash("", TripleDes.BlockSize \ 8)
    End Sub

    Private Function EncryptData(ByVal plaintext As String) As String

        ' Convert the plaintext string to a byte array. 
        Dim plaintextBytes() As Byte =
            System.Text.Encoding.Unicode.GetBytes(plaintext)

        ' Create the stream. 
        Dim ms As New System.IO.MemoryStream
        ' Create the encoder to write to the stream. 
        Dim encStream As New CryptoStream(ms,
            TripleDes.CreateEncryptor(),
            System.Security.Cryptography.CryptoStreamMode.Write)

        ' Use the crypto stream to write the byte array to the stream.
        encStream.Write(plaintextBytes, 0, plaintextBytes.Length)
        encStream.FlushFinalBlock()

        ' Convert the encrypted stream to a printable string. 


        Return Convert.ToBase64String(ms.ToArray)

    End Function

    Private Function DecryptData(ByVal encryptedtext As String) As String

        ' Convert the encrypted text string to a byte array. 
        Dim encryptedBytes() As Byte = Convert.FromBase64String(encryptedtext)

        ' Create the stream. 
        Dim ms As New System.IO.MemoryStream
        ' Create the decoder to write to the stream. 
        Dim decStream As New CryptoStream(ms,
            TripleDes.CreateDecryptor(),
            System.Security.Cryptography.CryptoStreamMode.Write)

        ' Use the crypto stream to write the byte array to the stream.
        decStream.Write(encryptedBytes, 0, encryptedBytes.Length)
        decStream.FlushFinalBlock()

        ' Convert the plaintext stream to a string. 
        Return System.Text.Encoding.Unicode.GetString(ms.ToArray)
    End Function

    Public Function Decode(cipher As String) As String
        Try
            Return DecryptData(cipher)
        Catch ex As CryptographicException
            Throw New Exception(ex.Message)
        End Try

    End Function

    Public Function Encode(txt As String) As String
        Try
            Return EncryptData(txt)
        Catch ex As CryptographicException
            Throw New Exception(ex.Message)
        End Try
    End Function

End Class

To use it.

call the Decode, and Encode functions.

Here;s an example.

Code:

Module Module1

    Dim Simple As New Simple3Des("RandomKey45")  'This is the Key

    Sub Main()

        Dim myName As String = "Toph"
        Dim encodedName As String = Simple.Encode(myName)

        Console.WriteLine("Name: " & myName)
        Console.WriteLine(myName & " encoded is : " & encodedName)
        Console.WriteLine()
        Console.WriteLine(encodedName & " decoded is : " & Simple.Decode(encodedName))

        Console.ReadLine()
    End Sub

End Module

[techgnome]

it should be hashed...not encrypted. Hashes are one way. They enter their password, you hash it, you store it in the db. They want to login, they enter their password, you hash it, then compare the TWO HASHED VALUES. There's no decrypting involved.
https://www.google.com/webhp?es_th=1...assword+vb.net

-tg

[Toph]

it should be hashed...not encrypted. Hashes are one way. They enter their password, you hash it, you store it in the db. They want to login, they enter their password, you hash it, then compare the TWO HASHED VALUES. There's no decrypting involved.
https://www.google.com/webhp?es_th=1...assword+vb.net

-tg

Oh my bad. I didn't even read his thread in context. I just saw the microsoft code he was having troubles with and tried to resolve it.

[nikel]

At last I found a working example: How to Get MD5 Hash From String-VBForums Example

Thanks for the helps.

[Toph]

MD5 hashes are also not good because you can lookup rainbow tables to find the word each hash belongs to. MD5 is outdated.

[ident]

I really so not think zero cool is looking to hack this project. Let's not go to mental.

[ident]

I edited that microsoft class to be more useable.

Here's the class file.

Code:

Imports System.Security.Cryptography

Public NotInheritable Class Simple3Des
    Private TripleDes As New TripleDESCryptoServiceProvider

    Private Function TruncateHash(ByVal key As String, ByVal length As Integer) As Byte()

        Dim sha1 As New SHA1CryptoServiceProvider

        ' Hash the key.
        Dim keyBytes() As Byte =
            System.Text.Encoding.Unicode.GetBytes(key)
        Dim hash() As Byte = sha1.ComputeHash(keyBytes)

        ' Truncate or pad the hash.
        ReDim Preserve hash(length - 1)
        Return hash
    End Function

    Sub New(ByVal key As String)
        ' Initialize the crypto provider.
        TripleDes.Key = TruncateHash(key, TripleDes.KeySize \ 8)
        TripleDes.IV = TruncateHash("", TripleDes.BlockSize \ 8)
    End Sub

    Private Function EncryptData(ByVal plaintext As String) As String

        ' Convert the plaintext string to a byte array. 
        Dim plaintextBytes() As Byte =
            System.Text.Encoding.Unicode.GetBytes(plaintext)

        ' Create the stream. 
        Dim ms As New System.IO.MemoryStream
        ' Create the encoder to write to the stream. 
        Dim encStream As New CryptoStream(ms,
            TripleDes.CreateEncryptor(),
            System.Security.Cryptography.CryptoStreamMode.Write)

        ' Use the crypto stream to write the byte array to the stream.
        encStream.Write(plaintextBytes, 0, plaintextBytes.Length)
        encStream.FlushFinalBlock()

        ' Convert the encrypted stream to a printable string. 


        Return Convert.ToBase64String(ms.ToArray)

    End Function

    Private Function DecryptData(ByVal encryptedtext As String) As String

        ' Convert the encrypted text string to a byte array. 
        Dim encryptedBytes() As Byte = Convert.FromBase64String(encryptedtext)

        ' Create the stream. 
        Dim ms As New System.IO.MemoryStream
        ' Create the decoder to write to the stream. 
        Dim decStream As New CryptoStream(ms,
            TripleDes.CreateDecryptor(),
            System.Security.Cryptography.CryptoStreamMode.Write)

        ' Use the crypto stream to write the byte array to the stream.
        decStream.Write(encryptedBytes, 0, encryptedBytes.Length)
        decStream.FlushFinalBlock()

        ' Convert the plaintext stream to a string. 
        Return System.Text.Encoding.Unicode.GetString(ms.ToArray)
    End Function

    Public Function Decode(cipher As String) As String
        Try
            Return DecryptData(cipher)
        Catch ex As CryptographicException
            Throw New Exception(ex.Message)
        End Try

    End Function

    Public Function Encode(txt As String) As String
        Try
            Return EncryptData(txt)
        Catch ex As CryptographicException
            Throw New Exception(ex.Message)
        End Try
    End Function

End Class

To use it.

call the Decode, and Encode functions.

Here;s an example.

Code:

Module Module1

    Dim Simple As New Simple3Des("RandomKey45")  'This is the Key

    Sub Main()

        Dim myName As String = "Toph"
        Dim encodedName As String = Simple.Encode(myName)

        Console.WriteLine("Name: " & myName)
        Console.WriteLine(myName & " encoded is : " & encodedName)
        Console.WriteLine()
        Console.WriteLine(encodedName & " decoded is : " & Simple.Decode(encodedName))

        Console.ReadLine()
    End Sub

End Module

Out of complete curiosity why have you used windows 95 paint to hide your profile name?

[Toph]

Out of complete curiosity why have you used windows 95 paint to hide your profile name?

Ahaha. It's a habit. I use Lightshot desktop application to do it not MS paint lool.

[techgnome]

MD5 hashes are also not good because you can lookup rainbow tables to find the word each hash belongs to. MD5 is outdated.

That's why you shouldn't use passwords in the firstplace but use passphrases the longer the better. I cringe when a website tells me my password can only be 8-12 characters. I don't use anything less than 24 when I can help it. The longer the better. They're a lot tougher to run rainbow files against because of the shear numbers involved. And they're usually easy (easier) to remember, and they avoid the usual character replacements th@t p30p13 l1k3 t0 d0.


-tg

[Toph]

That's why you shouldn't use passwords in the firstplace but use passphrases the longer the better. I cringe when a website tells me my password can only be 8-12 characters. I don't use anything less than 24 when I can help it. The longer the better. They're a lot tougher to run rainbow files against because of the shear numbers involved. And they're usually easy (easier) to remember, and they avoid the usual character replacements th@t p30p13 l1k3 t0 d0.


-tg

Seems good. I might try using passphrases. So a pass phrase like...

"ilikeeatingbaconwitheggs" is good?

[techgnome]

Not any more.... But yes... phrases like that.
I actually use a pattern and have a little app that helps generate random combinations... when I need a phrase, I run about 20, find one that I'll remember and use it. Given the number of segments (2-4) and the variation of the sources of the segments, the number of combinations is phenominal. And because it's all random, it's not reflective of my personality, making them even harder to guess. I ended up with PurpleLlamaGoats one time...

-tg