用户名和密码存储位置

发布于 2024-11-02 02:43:35 字数 259 浏览 8 评论 0原文

我正在 vb.net 中编写一个程序,要求用户先登录才能使用该应用程序。主用户是在安装程序时创建的,类似于Windows安装时的工作方式。

主要用户可以向程序添加其他用户。我已经知道我应该加密存储密码。我的问题是,我应该在哪里存储用户名和密码?注册表、独立存储或 .config 文件。我不希望任何用户能够修改/删除该文件,因为其他用户显然无法登录。此外,登录计算机的任何用户都应该可以访问该文件。

不保证计算机能够连接到互联网,因此必须存储在本地。

谢谢

I am writing a program in vb.net that requires a user to log in before he can use the application. The main user is created when the program is installed, similar to how windows works when it is installed.

The main user can add additional users to the program. I already know that I should store the passwords encrypted. My question is, where should I store the usernames and passwords? The registry, Isolated storage or .config file. I don't want any user to be able to modify/delete that file as the other user would obviously not be able to log in. Also, this file should be accessible for any user that logs into the computer.

The computer is not guaranteed to be connected to the internet, so it must be stored locally.

Thanks

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

〆凄凉。 2024-11-09 02:43:35

说实话,如果有人有意志力寻找文件,他们就会找到它,因此存储可以帮助提高安全性,但我会关注文件本身的内容。

您可以尝试将应用程序的数据存储为加密文件,这可能会阻止业余尝试,但当您使用 .net 框架时,您的程序可能会被反编译,并且任何对称加密算法都可能变得毫无用处。

我认为你最好的选择是根据程序所在的计算机生成种子,如果解密失败,请打电话回家或进入锁定状态。

另一种选择是存储加密的(使用对称密钥加密的)文件和哈希文件(可能位于不同的位置)。如果加载文件的散列与散列文件不匹配,则您的程序可以调用家(如果您有家可调用)。

这只是一个想法,还没有实际尝试过这样的事情。

To tell you the truth if someone has the will power to look for the file they will find it, so storage can help up security but I would focus on the contents of the file itself.

You could try to store the data of the application as a encrypted file which could stop the amateur attempts but as you are using the .net framework your program could could be decompiled and any symmetric encryption algorithms could be rendered useless.

I think your best bet would be to either generate a seed according to the computer the program is on, and if decryption fails call home or go into Lock Down.

Another option would be to store the encrypted (encrypted with your symmetric key) file and a hash file (in different locations probably). If the hash of the loaded file then does not match the hash file your program could then call home (If you have a home to call).

This is just a idea, haven't actually tried anything like this.

凝望流年 2024-11-09 02:43:35

如果您无法在计算机上以任何方式使用 Windows 用户/凭据,那么实际上没有绝对的方法可以防止文件被删除/更改,因为计算机上的任何人都具有与主用户相同的访问权限,他需要修改文件的权限才能通过程序添加用户。

唯一确定的方法是让主用户使用不同的用户名登录,并设置该文件/文件夹的文件权限,以确保只有主用户拥有对该文件的修改权限(而其他用户则有权修改该文件)。帐户无权修改权限)。我知道您说过它在您的环境中不起作用(这是?),但您也许可以通过代码创建用户并在不同的凭据下运行内容,而无需用户登录任何不同的帐户。

我能想到的唯一疯狂的方法是在计算机上创建一个服务,一旦它开始运行,它就会打开并保存具有共享集的该文件的句柄,以便没有其他进程可以打开该文件进行写入。当然,您必须想办法让主用户能够添加用户。

If you are not able to use windows users/credentials in any way on the machine, then there really is no absolute way to prevent the file from being removed/changed, Since anyone on the computer has the same access as the main user, who needs rights to modify the file in order for him to add users through the program.

The only way to do it for sure is to have the main user logon with a different user name, and set the file permissions on that file/folder to make sure that only the main user has modify permission to the file (and the other user account does not have the right to modify permissions). I know you said it wouldn't work in your environment(which is?) but you might be able to create users and run stuff under different credentials through your code without having the users log on any different.

The only crazy way I can think of is to create a service on the computer that once it starts running, it opens and holds a handle to that file with sharing set such that no other process can open the file for writing. You'd of course have to workout some way for the main user to be able to add users.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文