Basically, I have an application that will be used by different people. When a specific person logs on, they are asked to give a password to receive extra permissions. How can I set this password, preferably online, for ease of changing it, but not have it visible in the source code?
Asked
Active
Viewed 141 times
-1
-
2You have put the cart way in front of the horse here. Start with a thorough *threat model analysis* before you try to implement your own security system. You need to be able to answer questions like: what resource are you protecting? From what threat? How is it vulnerable to the threat? What are the consequences of a successful attack? And so on. Only after that analysis is complete should you even begin to contemplate solutions like password protection. Password protection schemes are *extraordinarily difficult to get right*. Hire a professional who specializes in this. – Eric Lippert Apr 29 '13 at 23:02
-
Either I messed up my explanation, or you interpreted it very incorrectly... – CrimsonDeath Apr 29 '13 at 23:07
-
I would strongly consider generating a `HashSet` and storing that. There are a few examples [here](http://stackoverflow.com/questions/10236667/c-sharp-storing-user-password-for-comparison) and [here](http://stackoverflow.com/questions/4181198/how-to-hash-a-password). – Brian Apr 29 '13 at 23:13
2 Answers
2
Put a hashed version of the password in a database. When someone logs in, calculate the hash of the password they entered, and compare this with the password in the DB.
Barmar
- 596,455
- 48
- 393
- 495
-1
If not online, you could save the password in the registry or in a configuration file opportunely encrypted and compare.
If online, you can use a web service that compare the password and returns a boolean.
