May 21st, 2003, 07:13 PM
VB Semi-Secure Login
----> I'm sorry if I posted this in the wrong forum or if this doesn't exactly constitute a tutorial. Just tell me and I’ll move/delete the post.
----> In a thread I read earlier today, it talked about adding a secure login for Visual Basic applications. Although my code uses a local file, this could easily be change to read from a database. The basic idea is that I use a popular (or well constructed) HASH Cipher to compare username and passwords...
----> I've included the source code in a ZIP archive. I hope this helps some newbie VB coders
May 22nd, 2003, 03:18 PM
hey, thats cool...
what would the associated security risks be?
what kind of attacks does this leave the passwd.conf file open to?
yeah, I\'m gonna need that by friday...
May 22nd, 2003, 06:31 PM
From my position, there are a couple of security threats. First, when the user enters the password, the password is stored plaintext in memory until the program closes or a new password is entered. To prevent this, just hook the txtPassword.change event and replace the password char with * and store the real char in an array. That way the normal password revealers and such couldn't reveal the password as stored in txtPassword.text. Then, when the user clicks add user or ok, hash the password and blank txtPassword.text. Obviously this is a little overkill, but it should work with memory attacks.
Secondly, because the user is hashed with the password, a malicious user could add a user with the same name and different password and the program would have no way to check. This would give a user multiple passwords. Doubleplusungood. I suggest using a UNIX passwd file format like username:hash. This would prevent impersonation/identity theft attacks. That way when someone trys to add a user, then the prog will check if said username already exists in passwd file before adding another one.
All in all though, it is a very secure login scheme. Another interesting thing to add would be hashing permissions.
$person!=$kiddie or die(\"Alas, die you hotmail hacker!!\");
May 22nd, 2003, 08:11 PM
hey, thanx a lot for your input... i'm coding the changes right now... i will have another version of this example ready within the next few days...
i appreciate the feedback mr. guru