Question login security

[theawesomerb]

Hello friends ! ,

I've a little problem , I've made a login system using the registry : the program checks if a key exists , if it doesn't it asks the user to create an account then he can access the main software , else , it just show the login form so the user enter his login information . for now it works like a charm .


the problem is , when a user register an account (a key) , and somebody just delete that key and restart the app , it asks him to register and login , so he can now access the main software .

what i want to do , is that ask the user to register just at the first time he run the app , after that , nobody can register again , or delete the current account .

thanks in advance mates , I know what's hard for me is easy for you ! (be as quick as possible please )

 

[IanRyder]

Hi,

I do not mean to sound rude but I fear your logic is flawed. My reasoning for this is that you cannot hide or secure the registry since nearly all applications on a PC access the registry in one form or another in order to run and therefore so long as someone knows what they are doing and knows your keys then they will always be able to access the registry and either delete or modify your login keys.

I would ultimately recommend a secured database where you can limit access to your data as you need but it sounds like this is a standalone application due to your registry usage so maybe a simple compromise here is to create your own file to hold the login information whereby you can then encrypt the data that you enter into the file and then hide that file somewhere on the machine.

This is not a great solution by any means and the most important thing to remember is that you need to keep secret about where you have hidden your file and how you have encrypted it.

Hope that helps and good luck.

Cheers,

Ian

 

[theawesomerb]

thanks for the answer Ian ,
if i use a file as a database , its going to be the same problem , they just have to delete it to grunt the full access , how does the other programs do to avoid that ???
ps: the values in the registry are encrypted , i decided to use the registry to avoid the newbies from deleting the file containing the encrypted username and password

Cheers ,
theawesomerb

 

[IanRyder]

if i use a file as a database , its going to be the same problem , they just have to delete it to grunt the full access

That's why I used the words "Keep Secret" since this is not a great solution.

how does the other programs do to avoid that

As mentioned, the ideal solution is to use a secured database such as SQL Server where you can then apply as mush security that you wish. The only issue with this is that it soundes like you may not have any experience with databases and therefore it maybe a whole new level of learning for you. This is however the right way to go for your future endeavours.

Cheers,

Ian

 

[theawesomerb]

ok , I only used a local sql database once , and still , it creates a file with the extension sdf..... which can be deleted , so same problem lol . this is what you're talking about right ?

ps: i'm a kind of newbie in the sql databases , I didn't get the occasion to use them , so thank you for your patience and i'm sorry about the stupidity of my questions .

thanks a lot .

 

[IanRyder]

Hi,

Firstly, don't ever worry about posting or asking what you may think as being "stupid questions". It's all part of learning principals and programming.

On a standalone machine whatever technique we have discussed so far is subject to the issues that you keep pointing out even if you were to use SQL Server so I will reiterate the point of keeping things secret.

The only true way to eradicate your issue is to have your login database reside on a SERVER PC (another pc on a network) where your application has the privileges to access that sever pc database but your users do not have any access to that machine or any other files that reside on that machine.

Again, the client, server concept is a big thing to learn if you have not come across it before, but worth looking into if this is the security level that you need.

Cheers,

Ian

 

[theawesomerb]

Hi again Ian , i need to find a proper way than to hide a file somewhere , by the way .i'm using the applications setting to save the configuration of the app so why not to save the login information ^^.

-I've to say that I used the visual studio "application settings" as a database Before i used the registry ; i'm using the app settings again , so the application runs like that .
-(_1_: the app checks if the setting file exists , if not it shows an error and close .
-(_2_: the app checks if the username and password value = "" that means it the first start of the application and invite the user to register , if not it shows the login form .

so that's how it doesn't need to hide the file or to keep it secret , as long as the login information are encrypted and the application won't run if the file is missing and they can't just change the password , they have to encrypt it first with the same encryption algorithms with the same key which is nearly impossible .
i could use an sql database for that , but it would be too heavy and i want the the app size to be as small as possible .

Hope this helps who got the same problem as me , and please correct me I'm wrong .

,TheawesomeRB.

 

[IanRyder]

Hi,

If I had not other choice and I had to use a file for the login details, I personally, would use a separate, hidden, secret file, but that's just me, otherwise your concept is fine.

Cheers,

Ian