c# – Login to the application. The best option. Encryption

Question:

There is an application like a chat. The server has a database where passwords (hashes) and logins are stored. What is the best way to organize login? I can save the username and password in the database of the user (sqlite), and then substitute it, but I don't really like this, since you can easily steal data. You can encrypt it somehow, but knowing the algorithm, you can decrypt it. What's the best way to do it? Where is the safest place to store?

The same chrome is just an outrage. Passwords are encrypted using a standard encryption method, making them easy to steal.

Answer:

In general, this task is unsolvable – any information available to a client is potentially available to an attacker. You can only increase the costs of a potential attacker to obtain information.

For starters, it might be a good idea to just base64 convert the password. A bunch of incomprehensible beeches in itself can scare off an intruder.

However, even a frightened intruder can simply copy the password to himself and use your own program. Therefore, the next level of protection is to encrypt the password with any symmetric algorithm, and store the key elsewhere. In this case, the attacker will first have to find where the key is stored in order to use the stolen password.


The last line of defense is to store instead of a password a special token issued by the server after authorization. This token can be associated with a certain minimum set of rights required by the application, elevation of rights – only through the repeated request for a password.

Thus, an attacker who stole a token will be able to write to the chat on behalf of the user – but he will not be able, for example, to change his password and thereby hijack the account completely.

Scroll to Top