Source language: Translate to:

Need to have embedded login control data

General questions about NeoBook

Moderator: Neosoft Support

Need to have embedded login control data

Postby Enigman » Tue Aug 19, 2014 10:57 am

I am developing an application that requires the user to login to the application. Once successfully logged in, the user will be able to change the username and password.

I am looking for an updateable way to control the login account information from INSIDE the application EXE. My preference would be to use an EXE embedded file that is encrypted text. I already have the encrytion method. What I need is a way to read the encrypted data from the EXE, and optionally CHANGE and re-embed the data back into the EXE file. The reason is that I don't want a visible external login file that can be deleted/hacked/etc. The application will run from a flash drive so the login data always needs to follow the flash drive EXE and not be dependant upon the PC. Therefore the following login data limitations apply:

1) Login data cannot use the registry.
2) Login data cannot use the PC hard drive.
3) Login data cannot simply be a hidden file on the flash drive.
4) The login data must be updateable. (Otherwise I could just embed a fixed file)
5) The EXE needs to be completely portable by itself * and not require other login files to be dragged along with it.

Can anyone suggest a way to control the login data, given the above?

BACK STORY

The application is a password manager. It is currently using one or more Access Databases with all critical fields individually encrypted. The Access database itself is NOT encrypted. Each database also contains a table with encrypted login information for that database. This works fine as a personal application when the data structure hasn't been seen by anyone, but I am considering making a public (commercial) version. In a public version the current login control would not be enough. N'er-do-wells could directly open the Access database and figure out a way to alter the login controls.

The native MSJet supplied encryption for Access Databases does NOT work, so that is not an option. I prefer not to attempt to encrypt the entire Access database itself because that would require too much startup time to decrypt the database on startup and re-encrypt it on shutdown, and it would present too much risk of the entire database being lost to an encrypt/decrypt error. In the current design, any encryption error would only affect one field.

I am willing to accept having only one login and password set, but currently the app can have different logins for each database and I would like to keep that if possible.

* I said "by itself" above because that is the installation method. The user simply drops the app onto a flash dive and upon first startup, if it doesn't see a database it will create one and prompt to create the login controls.

Thanks.
User avatar
Enigman
 
Posts: 314
Joined: Tue Apr 12, 2005 3:57 pm
Location: Foothill Ranch, CA

Re: Need to have embedded login control data

Postby Neosoft Support » Wed Aug 20, 2014 10:41 am

I don't think it's possible for an exe to modify itself. You can define hard-coded variables for user names and passwords which would be stored inside the exe, but users cannot modify them. Of course, something stored in an exe can be hacked too.

Instead of storing the actual user names and passwords, just store calculated MD5 values. (There are plug-ins at the resource center that can generate MD5 values.) When the user types in their user name and password, convert them to MD5 and compare them to the stored values. If someone hacks the exe or database, they'll gain access to the MD5 values only which won't be of any use.
NeoSoft Support
Neosoft Support
NeoSoft Team
 
Posts: 5593
Joined: Thu Mar 31, 2005 10:48 pm
Location: Oregon, USA

Re: Need to have embedded login control data

Postby Enigman » Wed Aug 20, 2014 12:07 pm

Neosoft Support wrote:Instead of storing the actual user names and passwords, just store calculated MD5 values. ... If someone hacks the exe or database, they'll gain access to the MD5 values only which won't be of any use.

I already do something like this. When the user enters new login data, it is encrypted and then stored in the database. If someone hacks the database, they only see the encryption. The user data is also encrypted inside the database.

I am just trying to improve login security as much as possible. Normally one would store it encrypted in the registry by a bizarre name, but I do not want the login to be "machine dependant". That lets out any external data file that is off of the flash drive. Everything must be portable with the flash drive which is why it is in the database now.

I'm looking for any solution I haven't thought of to make the login data invisible or less visible.

Thanks.
User avatar
Enigman
 
Posts: 314
Joined: Tue Apr 12, 2005 3:57 pm
Location: Foothill Ranch, CA


Return to General NeoBook Discussions

Who is online

Users browsing this forum: No registered users and 1 guest