I have some code like this in a winforms app I was writing to query a user’s mail box Storage Quota.
DirectoryEntry mbstore = new DirectoryEntry( @'LDAP://' + strhome, m_serviceaccount, [m_pwd], AuthenticationTypes.Secure); No matter what approach I tried (like SecureString), I am easily able to see the password (m_pwd) either using Reflector or using strings tab of Process Explorer for the executable.
I know I could put this code on the server or tighten up the security using mechanisms like delegation and giving only the required privileges to the service account.
Can somebody suggest a reasonably secure way to store the password in the local application without revealing the password to hackers?
Hashing is not possible since I need to know the exact password (not just the hash for matching purpose). Encryption/Decryption mechanisms are not working since they are machine dependent.
The sanctified method is to use CryptoAPI and the Data Protection APIs.
To encrypt, use something like this (C++):
Decryption is the opposite:
If you don’t specify CRYPTPROTECT_LOCAL_MACHINE then the encrypted password can be securely stored in the registry or config file and only you can decrypt it. If you specify LOCAL_MACHINE, then anyone with access to the machine can get it.