Posted By
|
Message
|
The_Antisony At least I'm not Circy
Registered 01/07/2002
Points 1341
|
26th September, 2012 at 26/09/2012 18:20:01 -
I'm working on a little utility program which stores a whole mess of personal information which could be pretty darn damning if it ever found it's way into the hands of an identity thief. I've been working on a personal information security system (PISS. lol) that requires a user create a username and password the first time the application is loaded. The username and password is recorded to the database, then the database file is encrypted via blowfish.
Every time the database is accessed or queried, it'll require the database file is decrypted. I'm not particularly worried about database security AFTER the user correctly logs in, but how do I verify username and password without decrypting the database file and leaving it completely accessible to would-be identity thieves BEFORE login verification? Kinda defeats the point of requiring a login when anybody has direct access to the unencrypted database file while the login screen is up.
I've thought about making a separate login credentials file where only the actual strings for username and password are encrypted, but the only way I can think of connecting it to what could be one of several database files is by including some kind of comparative file hash. If the computer hangs or freezes sometime after modifying the database but before creating a new hash, not even the correct login information will allow access to the database. No bueno.
Does anybody else have any other options, observations, or input? There's likely something I haven't considered, I'm sure of it.
ChrisD> Employer: Say, wanna see a magic trick?
ChrisD> Employee: Uhh… sure, boss.
ChrisD> Employer: Your job! It just disappeared! Pack your things and leave! Pretty good trick, huh?
|
UrbanMonk BRING BACK MITCH
Registered 07/07/2008
Points 49566
|
26th September, 2012 at 26/09/2012 18:32:05 -
Firstly you should blowfish encrypt the database using the users username+password+secret key. Where the secret key is something you hardcore into the program.
Next you should store a seperate hash of the username+password+salt and then to verify the user's info before using it to decrypt the database.
I suggest you double hash it since there are databases online of hash tables.
This is how most similar programs operate.
n/a
|
|
|