Coding Thread, vb.net and database security in Coding and Web Development; I've created an application in vb.net for my fiancee to use in her new job. Basically she has a million ...
4th May 2010, 11:52 AM #1
vb.net and database security
I've created an application in vb.net for my fiancee to use in her new job. Basically she has a million passwords to remember, and rather than storing them in an unsecure excel document I said I would write something for her.
The application is written in VB.net 2008, and uses an MS Access database for storing all the data in. The application also has the option of using a second-factor auth method (USB-pen drive in this case) to make it more secure.
Anyhow, I want to release the software as people might find it useful, but I want some ideas first about the security of the application:
1) The database is password protected using the standard method in Access. This password is extremely long and random, and is stored only in the application settings on the project so people without the source (so anyone but me) should not be able to see this. Anyhow, as always, passwords can be cracked so is there any better way to secure the database? The database will only exist on a local computer/network share so access to that drive will be required first so cracking is unlikely - but I would have thought there would be a better way at securing an Access database.
2) The second-form factor auth is done by the application creating a hidden text file on the removable device, and in this file is a hash of the username. If the username given when logging in doesn't match the file on the pen then it won't let them in. Similarly it won't let them in if no pen is plugged in, or if no file exists on the pen drive. Is there a better way to do this, or have I covered the bases?
Would love some advice on this as I would love to release this app, but feel it would be a waste of time if the steps I've taken are as protective as a chocolate condom.
4th May 2010, 12:02 PM #2
Im not sure how VB compiles but on straight EXE files the string objects are visible in HEX editors so its usually quite easy to get at a password hidden straight inside.
Instead of storing the passwords in the access database direct I would use VB to perform some sort of calculation on the object itself and encrypt the string before writing it to the database. This is due to the fact that with a tool like wordpad you can read the contents of the Access database in plain text.
You could also try a two key approach where one half of the key is in your program and the USB method provides the other half in the form of a hidden file. The easiest way of doing this would be to write a file of a number of ints and import them and use them in your calculations. This way without both halfs the passwords would be safe even to those who are familiar with hex / wordpad editing!
4th May 2010, 01:08 PM #3
Don't rely on your source code being safe in .net, using a tool like .net Reflector most .net programs can be de-compiled in seconds. It's amazing how many big name programs have unsecure source code because of this. Google ".net obfuscator" for help protecting your source code.
4th May 2010, 01:19 PM #4
Thanks - I'd heard of that in a previous life, but never looked into it. I'm not so worried about protecting the source code than protecting the actual data the user stores for this app.
Originally Posted by LosOjos
I used Access for ease, but maybe it wasn't the right tool in hindsight...
4th May 2010, 01:22 PM #5
What I was really getting at is that you mention that the password for the Access database is stored in the code, so if someone decompiled your program, they'd have that password.
Originally Posted by Hightower
Have you thought about using VB Structures to make your own containers for the values you need to store and saving those to a custom (encrypted) file? Still wouldn't be 100% secure, but it'd certainly make it much harder for anyone to crack as it's a unique file type, couple that with obfuscated code(so that nobody can decompile your program and see how the file is structured and encrypted) and you should be well on your way to making it secure
6th May 2010, 12:01 PM #6
I second the comment on the custom containers....
On another note, why not hash the passwords using some form of TES Encrption or an MD5 hash or something like that, it may add the extra bit of security you are looking for...
One Place to Check is here ProtectedData Class (System.Security.Cryptography)
My 2 pence worth
By gavcradd in forum MIS Systems
Last Post: 12th June 2007, 01:20 AM
By Jobos in forum Web Development
Last Post: 22nd May 2007, 10:49 AM
By sidewinder in forum Windows
Last Post: 28th February 2007, 10:37 AM
By WithoutMotive in forum MIS Systems
Last Post: 28th February 2006, 03:43 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)