I have a winform application that have user login form. I store my users login information in database with 3 parameters: username, hashed password, salt:
salt = random string that will be stored in database for every user
hashed password = MD5(MD5(inputPassword) + MD5(salt))
I want to have check box named Remember me in my login form, that when a user enter the correct information and check it, for the next time user open the program, their user information will be entered automatically, user just need to click login button.
I can't save the entered password directly and next time fill the password textBox with it because i know some softwares that can read textBoxes like this and it's not secure.
Question:
How I can do that without saving user password?
If I need to save some information, How encrypt them?
Is it necessary to change my security policy?
Note that this is Client/Server application and login form created for client side.
You can save the hashed value of password in your local database, and you can have a hidden check box, which tells you that you have filled the info from database which is already hashed and while asking authentication you do not need to hash the password value again.
EDIT If the user tries to enter the password manually then you can clear the text box value and alter the check box checked value, so that you know now the value is not the hashed one.
As per my understand, if you want to have remember me functionality then you should/must have your password stored in any form to authenticate the user.
One way is, have 2 functionality in your product. One to have a Hash and this will be in the database and I think you are doing it currently. Apart from this, also have functionality to Encrypt/Decrypt. When remember me is checked then just save the encrypted value in your app.config file. Now when ever the user opens the application again, check for the encrypted password and decrypt to authenticate user.
User dbw just posted my other approach :)
Hope it helps.
IMHO, this can't be done. If you are encrypting/hashing/salting and saving the password in DB then you can't really get it back in plain text.
Of course, you can trick the user (I will tell you how), but need to define what you want the user to do:
Enter at least password again (every time) even after user has asked to "remember me". This can be done easily, just retrieve the user id and keep password box blank. No tricks. Plain and Simple. Even Google do it for their sites.
Now trick time. Let the user enter the application without password but just username. You can just enter some default value in password box (user will think the password is actually retrieved but you will program such a way that whenever "remember me" option is selected, you will just auti-fill this info) and let the user go in. But this is not good option because potentially anyone using that system will be able to logon to your app. You will have to take a call as per your security requirement.
There is a functionality for this on windows. DataProtector and ProtectedData classes can be used to encrypt binary data based on machine information. You can specify the scope of the encryption to be User based or System based it can come in handy for this.
If you think it's better you can only serialize the Login Token information not the User credentials.
You just encrypt the serialized information and store that anywhere you want. And decrypt and deserialize it when you want to use it on startup.
I think so, yes.
You can check them out here:
https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.dataprotector?view=netframework-4.7.2
https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.protecteddata?view=netframework-4.7.2
Related
We are currently using forms auth as follows:
FormsAuthentication.SetAuthCookie(userId, rememberMe);
With that we can always get the user id. And we were able to get the user details when you need them using the user id.
With a web service call like
objRegisteredUser = CMembership.GetByLoginID(sLoginID);
We know need to upgrade the site with the new APIS service calls that require the users Password like this:
objRegisteredUser = CMembership.GetByLoginIDandPasword(sLoginID, sPassword);
For the "remember" me function, what would be the best way to remember the password?
Could we encrypt it, then store it in a cookie, then retrieve and decrypt?
We can't populate the new profile without the password.
Any suggestions?
Does storing password data, even encrypted go against best practices?
Passwords should always be stored using a one-way encryption algorithm (SHA). This means you will not be able to retrieve the underlying password. You will only have access to the hashed value.
You can use membership class in asp.net
http://msdn.microsoft.com/en-us/library/ff648345.aspx
The "remember me" button should be used to determine whether or not a cookie should be placed on the user's machine. This is how other developers accomplish your requirement. See below question on SO for further details:
What is the best way to implement "remember me" for a website?
I'm currently working on a project where people can register and login to their own content page.
I have used a custom registration method (Not the Default Create User Wizard). I am capable of sending an email off to the registering persons email. However I now want to add a link to that email where people have to click on it in order to get their profile verified.
I have heard that you can use a GUID along with a Token to do this but I don't know how to go on implementing this there fore i need help.
I have my users details stored in the
> tblUsers with fields ID, Name, Password, Details, Photo as well as a **Verify** field which i believe could be used as a verification? for now its empty and is not being used.
I have created my login control using the default Login control provided by the Microsoft Visual Studio environment.
Would really be grateful if someone can help me and guide me through this, after 2 days of constant research and trying I'm stuck on this part without being able to progress further
Well a better option would be encryption of UserID. as this will not only save addition of extra column in database but provide easy handling. Now the question is how will you do that.
Try this.. Make a simple encryption Logic (you can google this and just a few lines of code)
when creating that hyperlink, append that encrypted UserId . When user clicks , send that to server , decrypt and validate with the user id. this will help you to mange user on base of User Id which i hope is unique in you case.
Guid is just another option, why not using your UserID which is alreday unique :)
I think you could generate the guid upon the user registration and store on the user's table. You can also send it in the query of the link that you want to add to the e-mail.
After the user clicks the link you could require the user to login and you would verify if the guid on the query is the same that you have stored on your user's table. If you have you could alter the state of the user to "verified".
Your question requires quite a few steps, but to at least start you off.
User would Register
You'll need to query the email address does not exists.
If it doesn't exists, you'll want to store that information into your database.
With the logic you have to store the information, you'll want to do something like this:
Guid userGuid = Guid.NewGuid();
string body = "To confirm 'http://www.somesite.com/verify/aspx?userGuid=" +
userGuid + "Verify your account";
string GuidToTest = Request["userGuid"];
Something like that should accommodate, you'll have to create a structure and path to handle all of that with your Domain Logic and Data Access.
Hopefully that helps.
I am designing & developing "Reset Password" form, where user provides username/email address so that application will send a link in a email for the user to click and type a new password. My interest is all about that link, How should i go ahead doing these jobs( I am not looking for answers that will be based on opinion but rather industry practices, steps that worked for your applications).
Make sure link is not bookmark enabled(Don't allow him resetting the password with the same link)
If the links also contains expiry information, What should happen if he clicks expired link
you can also help me by providing other problems i may face with current plan of execution.
I have just implemented something similar.
User clicks "lost password" and enters email address.
On submit, generate a reset code so the main password is unaffected. (should be salt hashed too). Set a timeout for using the reset code.
User visits change password form. Enters email, reset code, new password and confirm password. On success, clear reset code and set new password, redirect to the login page.
I decided to make the reset code as part of the url as to make it easier for the users. As for bookmarking, well, you can't protect all users like that. If they want to bookmark that page, let them. The above measures should stop them submitting anything out of line.
On the reset form's submit you generate a random code, store it in a database(with expiry information if needed and a flag if it has been used) and include it as a parameter in the link.
The link brings the user back to the reset form where you check if the code(parameter) is in the database and has not expired or used already.
The approach that I like is to create a string that looks somehow like this: [username][currentPassword][expirationDate], hash it, and then create a link that looks like: resetPassword.php?username=[username]&exp=[expirationDate]&hash=[hash]
In resetPassword.php you verify this hash with the info in the GET params + the old password you had, and if hash matches, go on with reseting the password.
This way the link will expire whenever it should expire, and it will be impossible to reset the password with that link after the password was changed.
Another approach is to store the reset password code in the database.
I am implementing a reset password aspx page and in that page, I am doing the following with a Wizard.
I am asking the user for his/her username, checking to make sure username does exist before moving on.
In the second view, I want to ask the user to answer his/her security question. I want to display the question and validate what their answer is, and if valid, continue to third step. (At moment, I'm not sure how to retrieve the security question to display in the second.)
In third view, ask user to enter in new password.
I understand how to go about changing the password even without the old password, but just can't seem to figure out how to get the security question.
Anyone have any ideas??
Membership.GetUser().PasswordQuestion contains the Security Question.
Membership.GetUser().ResetPassword(securityQuestionAnswer) will generate a new random password for the user. You can then email this to the user.
http://msdn.microsoft.com/en-us/library/d90zte4w.aspx
If a password answer is required and an incorrect password answer is supplied, a MembershipPasswordException is thrown by the membership provider. If you wanted to allow the user to enter a password, you could check to ensure that this exception is not thrown, then change the password.
So, I've been playing with asp:PasswordRecovery and discovered I really don't like it, for several reasons:
1) Alice's password can be reset even without having access to Alice's email. A security question for password resets mitigates this, but does not really satisfy me.
2) Alice's new password is sent back to her in cleartext. I would rather send her a special link to my page (e.g. a page like example.com/recovery.aspx?P=lfaj0831uefjc), which would let her change her password.
I imagine I could do this myself by creating some sort of table of expiring password recovery pages and sending those pages to users who asked for a reset. Somehow those pages could also change user passwords behind the scenes (e.g. by resetting them manually and then using the text of the new password to change the password, since a password cannot be changed without knowing the old one). I'm sure others have had this problem before and that kind of solution strikes me as a little hacky. Is there a better way to do this?
An ideal solution does not violate encapsulation by accessing the database directly but instead uses the existing stored procedures within the database...though that may not be possible.
I'm currently implementing an open source user management system on top of Spring + SpringSecurity, and here's how I'm addressing the lost password problem.
The user's account must have a preregistered email address.
To request a reset, the user enters their account name into a form.
A temporary "reset code" is generated and attached to the account, and emailed to the user embedded in a hyperlink.
On receiving the email, the user clicks the link which takes them to a page to enter their new password.
Before accepting the new password, the reset code (from the link) is checked against the stored code, to make sure it is correct and that it hasn't expired.
This avoids sending a password (in clear) in an email message. And it also protects against one person resetting another person's password just to be a nuisance, because the password reset only takes place after the link has been used.
But it does rely on the user's email account being secure, and in the email not being snooped while in transit. For some applications, this maybe an unacceptable risk.
Another piece of the equation is that you need to be really careful about changing a user's registered email addresses. At the very least, the user must enter their current password with the request to change address ... to prevent against hacking via unattended login sessions.
I recommend adding an additional level of checking, here are some options to choose from.
First you can save the requester's IP address in a database, then when they click the reset link compare that with the IP address of their current machine, if they match then reset the password. If the email is intercepted then the person attempting to reset the password must have a matching IP address.
Use a cookie and store a unique value, maybe a GUID, MD5 hash or something. So when the user makes a password reset request a cookie is stored on their machine and in the database, when the user clicks the link the local cookie must match the database value or they will not be able to reset their password.
In general I am totally against ever sending a password in Email, so I like the password reset link option more than a new plain-text password.