Is there any way that I can put a checkbox of Remeber password in my winform as I have no tables for username and password.I am checking for the username and password directly in the server...
Answer please if am clear with my question.
Most simplest way to do that would be to store the provided password in the Application or User Settings. You may want to use some kind of encryption so that it is not stored as plain text.
I think you need to use the Windows Credentials Manager API
When you start you WinForms application you will get Windows Credential Manager dialog. You will also have Remember Password option on it. When you enter your credentials they will be safely stored with Windows.
Check this link to see how to get this done - http://www.developerfusion.com/code/4693/using-the-credential-management-api/2/
Related
In a self-hosted C1-CMS (formerly Composite C1), how can I reset or recover the password? Can the password be viewed or reset somewhere on the server?
(Composite C1 4.3, Build 4.3.5555.25838)
If you are using the default XML data store, the users and encrypted passwords are stored in: /App_Data/Composite/DataStores/Composite.Data.Types.IUser.xml
If you have another user with a password you know, you can replace the encrypted password string on the account you are trying to access, with the encrypted password from the account you know. Then login and change the password.
I received this answer from the official Orckestra support team (very helpful, although I am not a paying customer, thumbs up!):
You cannot recover the password, but if you have access to the files (or SQL Database, if you migrated data to SQL) you can reset the password:
This should work for sites running on XML data store (default):
Edit the file ~/App_Data/Composite/DataStores/Composite.Data.Types.IUser.xml
Locate the xml element for the user you want to reset the password for
Change the following two attributes to the shown values:
EncryptedPassword="hsfIeqkVA5yoMIwzYIx4fWny5GjwNwiM3wA5K+9qCug="
PasswordHashSalt="/zgEhlwBe6Vl0HHqMFPxafrtwqlRIGVS"
Save the file.
If your site is on SQL, locate the table Composite_Data_Types_IUser_Published and put the above shown values into the corresponding columns (EncryptedPassword and PasswordHashSalt).
You should now be able to log in using the password "123456" for the user you changed above. Once in the CMS Console, you can set a new password using the top Tools menu (top right user menu n V5 and later).
I recently had a scenario where neither of the suggested methods would work for me. I was able to remedy this by creating a c1 instance locally, creating a user with the same username and the desired password, and then overwriting the password salt and hash from the local site to the one you're locked out of.
I have in my web application a role called "Administrator". Users who have this role should be able to modify the information about the registered users.
I am thinking about displaying a table with the user details such as e-mail, username, and be able to change them but I don't know what should I do if a users comes to the office physically, goes to an admin and asks for a password change (yes they can do that). Should the admin just press a reset button over the row and tell the user to check his e-mail when he arrives home and proceed with the recovery? (reset link for example) Or should the administrator reset the user's password and give him his new password in that very moment? The second approach is preferable as I was asked to do that...
I know that the admin shouldn't be able to see the original password as it should be hashed and unknown.
What are your thoughts about this? How would you implement this functionality? Thanks for your help.
There is no one perfect answer for this question. The question of workflow will always be dependent on the specific use-cases of an application and will depend on the context it is built in.
That being said, you are right about one thing - it is horrible, and I do mean horrible, security breach to let an Admin or any other user view a clear text password for someone else. So that's definitely off the table.
In your case, it seems giving the admin the right to change someone's password is the way to go. If you're worried about how it looks, don't be. Google Apps allows domain administrators to change the password for any email account under that domain.
Finally, I would suggest a small additional safety measure. When an Admin changes another user's password, store the old encrypted password in a column, don't delete it. When the admin set's the new password, shoot out an email to the user saying "Your password was changed by the Administrator, if you did not request for this, please click here". When they click on the link in the email, simply overwrite the new password with their old one.
That way in case an Admin is changing passwords without the user requesting it, you have a recourse for the user and the logs will keep you informed of how many time an admin has had a password reset revoked by the user.
I am using asp.net mvc along with SQL server. An user of my application created a username like "abcd efgh", with space between the user name. it worked for some time and now it stopped working. I checked that user is entering the correct data. This happened even user did not have a space in it. I set up the membership database using Aspnet_regsql.exe.
Any help in trouble shooting this is appreciated.
Are you sure that you are not parsing/modifying the username or password before giving it to Membership?
Why don't you set a breakpoint in your Controller Action and see what username and password are at that point?
i'm developing a .net winforms desktop application intended to be run at several bank's branches as a backup application whenever the main one (a web application) is unavailable due to connection issues with the bank's central node. The branchs themselves don't count with any enterprise services besides a SQL-Server database. For that reason, the application should be able to connect directly to the SQL-Server. My problem arises when I have to provide the application with a password to connect to the database:
1) Storing the password in clear text in a app.config file or similar is not an option (the customer requires the password to be encrypted)
2) Storing the password encrypted in a configuration file leads to the need of having an encryption key locally available. The encryption key could be just hardcoded in the application's code, but it would be easily readable by using a .net-decompiler or similar.
3) Using a custom algorithm to encrypt/decrypt wouldn't work either due to the same reasons as 2).
4) Integrated security is not supported by the bank
Additionally, the customers requires that they should be able to change the password in one location (within a branch) without the need to go from one computer to another updating config files (that rules out the possibility of using the machine's key to encrypt the password in individual machine's config files like asp.net does)
Would you provide any other approach or suggestion to deal with this problem?
I would appreciate any help.
Thanks in advance,
Bernabé
I don't think that encyrpting the password by any means is going to solve your problem. If the user has to send the password to server, and the password is located on the box, then by definition the user running the application must have access to the password and be able to decrypt it. Otherwise, you wouldn't be able to authenticate them. This means that there will always be a way for the user to get at the password, regardless of where you store it.
I can think of 2 ways that could possibly work, but I'm afraid they're not exactly what you're looking for.
Remove the requirement of having the
user send the password to the server
by using some sort of local proxy
(for example using a WCF windows
service) to take your winform
requests and then send them on your
behalf to the DB server. If you
install the service using an account
different from the user's account,
then you can secure the password by
any of the means mentioned in the other
answers. They key here is to make
sure the application user does not
have access to the resources that
the service account needs to decrypt
the password.
Don't store the password in the web config. Assign each user a different user account and password at the database level and have them type it in when they log in.
You could use the protected configuration built into .Net. See Encrypting Configuration Information Using Protected Configuration in the MSDN docs. One of it's raison d'etres was to encrypt data such as connection strings in config files.
You could
To use DPAPI to store a encryption/decryption key securely: How To: Use DPAPI to Encrypt and Decrypt Data
To install a SQL Server Compact Edition (or another small database) into your workstations and to synchronize data when your web application comes online again.
To ask for help inside that institution, as other people could have solved that problem and could to help you.
Definitely agree with the above regarding DPAPI. Microsoft's Enterprise Library makes this an absolute breeze too, so I would consider looking there first.
I will be working on a Time Management application very soon using Winforms and Access and was looking for some good resources on how to create a simple password protected application. I came from asp.net but have VERY little experience with Winforms. Are there and end to end tutorials for something like this?
Thanks everyone.
Well. in VB.net you have a template for a login form.
Just Add/New Item, select "Login Form".
But that just creates a dialog with two textboxes, username and password. Everyone can do that.
Then its up to you how to verify that the entered username and password are a valid user, against a database, encrypted textfile, encrypted strings in the registry or a xml-file or whatever you want.
In the generated form there are also some information:
' TODO: Insert code to perform custom authentication using the
provided username and password
' (See http://go.microsoft.com/fwlink/?LinkId=35339).
' The custom principal can then be attached to the current thread's
principal as follows:
' My.User.CurrentPrincipal = CustomPrincipal
' where CustomPrincipal is the IPrincipal implementation used to
perform authentication.
' Subsequently, My.User will return identity information
encapsulated in the CustomPrincipal
object
' such as the username, display name, etc.
If you follow that link youll end up here:
http://msdn.microsoft.com/en-us/library/aa302401.aspx
Wich is not maybe the best place to be in you think, as it is focused on ASP.Net But check out the related chapters there as it tells you a lot about encryption and other usefull things in this area.
If you just have an application that is running in single user mode, then its enough to store users and passwords encrypted in the registry or an local xml-file or anything like that.