VB Semi-Secure Login
Results 1 to 4 of 4

Thread: VB Semi-Secure Login

  1. #1
    Member
    Join Date
    May 2003
    Posts
    39

    VB Semi-Secure Login

    Hello everyone,

    ----> I'm sorry if I posted this in the wrong forum or if this doesn't exactly constitute a tutorial. Just tell me and Ill move/delete the post.

    ----> In a thread I read earlier today, it talked about adding a secure login for Visual Basic applications. Although my code uses a local file, this could easily be change to read from a database. The basic idea is that I use a popular (or well constructed) HASH Cipher to compare username and passwords...

    ----> I've included the source code in a ZIP archive. I hope this helps some newbie VB coders

  2. #2
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    hey, thats cool...
    what would the associated security risks be?
    what kind of attacks does this leave the passwd.conf file open to?
    yeah, I\'m gonna need that by friday...

  3. #3
    Senior Member
    Join Date
    Feb 2003
    Posts
    109
    From my position, there are a couple of security threats. First, when the user enters the password, the password is stored plaintext in memory until the program closes or a new password is entered. To prevent this, just hook the txtPassword.change event and replace the password char with * and store the real char in an array. That way the normal password revealers and such couldn't reveal the password as stored in txtPassword.text. Then, when the user clicks add user or ok, hash the password and blank txtPassword.text. Obviously this is a little overkill, but it should work with memory attacks.

    Secondly, because the user is hashed with the password, a malicious user could add a user with the same name and different password and the program would have no way to check. This would give a user multiple passwords. Doubleplusungood. I suggest using a UNIX passwd file format like username:hash. This would prevent impersonation/identity theft attacks. That way when someone trys to add a user, then the prog will check if said username already exists in passwd file before adding another one.

    All in all though, it is a very secure login scheme. Another interesting thing to add would be hashing permissions.
    $person!=$kiddie or die(\"Alas, die you hotmail hacker!!\");
    SecureVision

  4. #4
    Member
    Join Date
    May 2003
    Posts
    39
    hey, thanx a lot for your input... i'm coding the changes right now... i will have another version of this example ready within the next few days...

    i appreciate the feedback mr. guru

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides