Tuesday, June 10, 2008

Stop the “Create a new Login Dialog” Insanity! Windows XP+ already has one, one that’s familiar and securely stores the User ID and Password too!

Security Developer Center - Using Credential Management in Windows XP and Windows Server 2003 [GD: Code Samples in VB]

“Summary: Shows how to retrieve user credentials using the DPAPI function, CredUIPromptForCredentials, in Microsoft Windows XP and Windows Server 2003 to obtain authentication information in a secure and standard way. (16 printed pages)

Applies to:
   Microsoft® .NET
   Microsoft Windows XP
   Microsoft Windows Server 2003

Download the source code for this article.

Introduction

Sometimes your application requires user-supplied credentials to access a protected resource, such as a database or a FTP site. Obtaining and storing a user's ID and password, however, introduces a security risk into your system. Where possible, you shouldn't have the user supply credentials at all (by using integrated authentication for your database, for example), but sometimes it cannot be avoided. If you do need to request credentials from the user, and your application will be running on Microsoft® Windows® XP or Microsoft® Windows Server 2003, then the operating system provides functions to make this task easier.

If you need to prompt the user for database, Web site, or any other set of credentials, using the built-in operating system features is the best way to accomplish this. In addition to providing the user with a consistent user interface, you also gain the benefits of the operating system's cache of credentials tied to the logged on user. If you want more information on security issues in development, check out Writing Secure Code by Michael Howard and David LeBlanc.”

Peter's Software House - C# Credential Manager [GD: Code Samples in C#]

“Prompt for user credentials using CREDUI.

Dialog

I have done this so many times in the past and then I always struggle because all the code samples are in VB.NET and I code in C#, so I thought, just do it and put it on your blog so others can use it and I can get to it easily in the future.

With the CredentialManager you can specify the target name, the parent form, banner bitmap and I am using a delegate to execute the success story.

…”

So if I understand this correctly, all those login & authentication dialogs I’ve created in the past few years has pretty much been re-inventing the wheel? How much time have I spent worrying that my app’s User ID’s were stored correctly (i.e. as securely as possible)? How much gunk, non-app domain specific, code have I written just to prompt for this information?

sigh…There’s just so much I don’t know…

No comments: