I need to “password protect” my application but need advice on where to store the password securely.
How I intend to do this:
The first time the program is run, I will prompt the user to create a password. The password will be salted and hashed in SHA-256 then stored in either the Registry or a file.
The Problem:
If I store the hashed password in the registry or a file (or both) then it would be too easy for someone to just delete the Key in the Registry or the File and be prompted to create a new password…
How can I securely store the hashed password so that it makes it harder to be deleted?
I have thought about storing it in the Registry and also creating a file with the Hidden and System Attributes to read from in the event of the Registry file being deleted but this seems silly as it could also be deleted quite easy.
// I hope I have posted this question correctly with the right Tags – I am new here so please go easy! 😉
All the best
Chris (Shamballa)
This is basically a Programming Ethics 101 issue. If you’re storing information on someone else’s computer, remember that the computer is their property and they have the right to delete or modify any file or registry key on it. Trying to make it so that they can’t is a very bad idea.
There’s a good reason why you can’t do it. What would happen if someone started putting files that you can’t delete or modify on your computer? Extrapolate to the logical conclusion: What would happen if a virus started putting files that you can’t delete or modify on your computer, and did so in an infinite loop until the hard drive was full? You know if it was possible, someone would try it.
If you want a program that stores a password somewhere where the user can’t modify it, put it on your server and have your program contact it over an Internet connection. (Which is an entirely different can of worms, but at least you’re not trying to do impossible things or violate your users’ basic property rights anymore.)