Jump to content

vb.net and database security

Hightower

By Hightower
in Coding

 Share

Recommended Posts

Hightower

Hightower

Posted
Posted

I've created an application in vb.net for my fiancee to use in her new job. Basically she has a million passwords to remember, and rather than storing them in an unsecure excel document I said I would write something for her.

 

The application is written in VB.net 2008, and uses an MS Access database for storing all the data in. The application also has the option of using a second-factor auth method (USB-pen drive in this case) to make it more secure.

 

Anyhow, I want to release the software as people might find it useful, but I want some ideas first about the security of the application:

 

1) The database is password protected using the standard method in Access. This password is extremely long and random, and is stored only in the application settings on the project so people without the source (so anyone but me) should not be able to see this. Anyhow, as always, passwords can be cracked so is there any better way to secure the database? The database will only exist on a local computer/network share so access to that drive will be required first so cracking is unlikely - but I would have thought there would be a better way at securing an Access database.

 

2) The second-form factor auth is done by the application creating a hidden text file on the removable device, and in this file is a hash of the username. If the username given when logging in doesn't match the file on the pen then it won't let them in. Similarly it won't let them in if no pen is plugged in, or if no file exists on the pen drive. Is there a better way to do this, or have I covered the bases?

 

Would love some advice on this as I would love to release this app, but feel it would be a waste of time if the steps I've taken are as protective as a chocolate condom.

 

Thanks,

Jamo

Jamo

Posted
Posted

Im not sure how VB compiles but on straight EXE files the string objects are visible in HEX editors so its usually quite easy to get at a password hidden straight inside.

 

Instead of storing the passwords in the access database direct I would use VB to perform some sort of calculation on the object itself and encrypt the string before writing it to the database. This is due to the fact that with a tool like wordpad you can read the contents of the Access database in plain text.

 

You could also try a two key approach where one half of the key is in your program and the USB method provides the other half in the form of a hidden file. The easiest way of doing this would be to write a file of a number of ints and import them and use them in your calculations. This way without both halfs the passwords would be safe even to those who are familiar with hex / wordpad editing!

Hightower

Hightower

Posted
  • Author
Posted
Don't rely on your source code being safe in .net, using a tool like .net Reflector most .net programs can be de-compiled in seconds. It's amazing how many big name programs have unsecure source code because of this. Google ".net obfuscator" for help protecting your source code.

 

Thanks - I'd heard of that in a previous life, but never looked into it. I'm not so worried about protecting the source code than protecting the actual data the user stores for this app.

 

I used Access for ease, but maybe it wasn't the right tool in hindsight...

LosOjos

LosOjos

Posted
Posted
Thanks - I'd heard of that in a previous life, but never looked into it. I'm not so worried about protecting the source code than protecting the actual data the user stores for this app.

 

I used Access for ease, but maybe it wasn't the right tool in hindsight...

 

What I was really getting at is that you mention that the password for the Access database is stored in the code, so if someone decompiled your program, they'd have that password.

 

Have you thought about using VB Structures to make your own containers for the values you need to store and saving those to a custom (encrypted) file? Still wouldn't be 100% secure, but it'd certainly make it much harder for anyone to crack as it's a unique file type, couple that with obfuscated code(so that nobody can decompile your program and see how the file is structured and encrypted) and you should be well on your way to making it secure

  • Thanks 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing


  • 134 What is your preferred operating system (PC)

    1. 1. Operating systems:


      • MacOS
      • Windows 10
      • Windows 11
      • Windows Vista
      • ChromeOS
      • Other (reply)
×
×
  • Create New...