+ Post New Thread
Results 1 to 6 of 6
Coding Thread, vb.net and database security in Coding and Web Development; I've created an application in vb.net for my fiancee to use in her new job. Basically she has a million ...
  1. #1

    Hightower's Avatar
    Join Date
    Jun 2008
    Location
    Cloud 9
    Posts
    4,920
    Thank Post
    494
    Thanked 690 Times in 444 Posts
    Rep Power
    242

    vb.net and database security

    I've created an application in vb.net for my fiancee to use in her new job. Basically she has a million passwords to remember, and rather than storing them in an unsecure excel document I said I would write something for her.

    The application is written in VB.net 2008, and uses an MS Access database for storing all the data in. The application also has the option of using a second-factor auth method (USB-pen drive in this case) to make it more secure.

    Anyhow, I want to release the software as people might find it useful, but I want some ideas first about the security of the application:

    1) The database is password protected using the standard method in Access. This password is extremely long and random, and is stored only in the application settings on the project so people without the source (so anyone but me) should not be able to see this. Anyhow, as always, passwords can be cracked so is there any better way to secure the database? The database will only exist on a local computer/network share so access to that drive will be required first so cracking is unlikely - but I would have thought there would be a better way at securing an Access database.

    2) The second-form factor auth is done by the application creating a hidden text file on the removable device, and in this file is a hash of the username. If the username given when logging in doesn't match the file on the pen then it won't let them in. Similarly it won't let them in if no pen is plugged in, or if no file exists on the pen drive. Is there a better way to do this, or have I covered the bases?

    Would love some advice on this as I would love to release this app, but feel it would be a waste of time if the steps I've taken are as protective as a chocolate condom.

    Thanks,

  2. #2
    Jamo's Avatar
    Join Date
    Jan 2009
    Posts
    1,365
    Thank Post
    66
    Thanked 178 Times in 150 Posts
    Rep Power
    62
    Im not sure how VB compiles but on straight EXE files the string objects are visible in HEX editors so its usually quite easy to get at a password hidden straight inside.

    Instead of storing the passwords in the access database direct I would use VB to perform some sort of calculation on the object itself and encrypt the string before writing it to the database. This is due to the fact that with a tool like wordpad you can read the contents of the Access database in plain text.

    You could also try a two key approach where one half of the key is in your program and the USB method provides the other half in the form of a hidden file. The easiest way of doing this would be to write a file of a number of ints and import them and use them in your calculations. This way without both halfs the passwords would be safe even to those who are familiar with hex / wordpad editing!

  3. #3

    LosOjos's Avatar
    Join Date
    Dec 2009
    Location
    West Midlands
    Posts
    5,771
    Thank Post
    1,511
    Thanked 1,294 Times in 884 Posts
    Rep Power
    813
    Don't rely on your source code being safe in .net, using a tool like .net Reflector most .net programs can be de-compiled in seconds. It's amazing how many big name programs have unsecure source code because of this. Google ".net obfuscator" for help protecting your source code.

  4. #4

    Hightower's Avatar
    Join Date
    Jun 2008
    Location
    Cloud 9
    Posts
    4,920
    Thank Post
    494
    Thanked 690 Times in 444 Posts
    Rep Power
    242
    Quote Originally Posted by LosOjos View Post
    Don't rely on your source code being safe in .net, using a tool like .net Reflector most .net programs can be de-compiled in seconds. It's amazing how many big name programs have unsecure source code because of this. Google ".net obfuscator" for help protecting your source code.
    Thanks - I'd heard of that in a previous life, but never looked into it. I'm not so worried about protecting the source code than protecting the actual data the user stores for this app.

    I used Access for ease, but maybe it wasn't the right tool in hindsight...

  5. #5

    LosOjos's Avatar
    Join Date
    Dec 2009
    Location
    West Midlands
    Posts
    5,771
    Thank Post
    1,511
    Thanked 1,294 Times in 884 Posts
    Rep Power
    813
    Quote Originally Posted by Hightower View Post
    Thanks - I'd heard of that in a previous life, but never looked into it. I'm not so worried about protecting the source code than protecting the actual data the user stores for this app.

    I used Access for ease, but maybe it wasn't the right tool in hindsight...
    What I was really getting at is that you mention that the password for the Access database is stored in the code, so if someone decompiled your program, they'd have that password.

    Have you thought about using VB Structures to make your own containers for the values you need to store and saving those to a custom (encrypted) file? Still wouldn't be 100% secure, but it'd certainly make it much harder for anyone to crack as it's a unique file type, couple that with obfuscated code(so that nobody can decompile your program and see how the file is structured and encrypted) and you should be well on your way to making it secure

  6. Thanks to LosOjos from:

    Hightower (4th May 2010)

  7. #6
    sister_annex's Avatar
    Join Date
    Jan 2009
    Location
    Wolverhampton
    Posts
    616
    Thank Post
    103
    Thanked 144 Times in 125 Posts
    Rep Power
    52
    I second the comment on the custom containers....

    On another note, why not hash the passwords using some form of TES Encrption or an MD5 hash or something like that, it may add the extra bit of security you are looking for...

    One Place to Check is here ProtectedData Class (System.Security.Cryptography)

    My 2 pence worth



SHARE:
+ Post New Thread

Similar Threads

  1. Accessing SIMS.Net database through ASP?
    By gavcradd in forum MIS Systems
    Replies: 9
    Last Post: 12th June 2007, 01:20 AM
  2. Reading an Access database with .Net 2.0
    By Jobos in forum Web Development
    Replies: 2
    Last Post: 22nd May 2007, 10:49 AM
  3. Replies: 4
    Last Post: 28th February 2007, 10:37 AM
  4. SIMS .Net upgrade - database backup problems
    By WithoutMotive in forum MIS Systems
    Replies: 7
    Last Post: 28th February 2006, 03:43 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •