I want to develop the functionality of remember the user's credentials for the next time login of the user in windows phone 7 application (like "remember me " functionality on the websites) Please tell me how to do this in windows phone 7.
Thanks
You can store the credentials in the Phone's Isolated storage. Your application's isolated storage cannot be accessed by any other application. The simplest way would be something like:
public void SaveCredentials()
{
var settings = IsolatedStorageSettings.ApplicationSettings;
settings.Add("username", "user123");
settings.Add("password", Encrypt("password123");
}
You can then retrieve it as :
string username = settings["username"].ToString();
string password = Decrypt(settings["password"].ToString());
You can write a Encryption / Decryption method depending on you security requirements. There are a number of ways that have different level of security and complexity. To help you get started one such way could be found HERE.
There are a few updates on the above answer.
To save:
private void SaveCredentials()
{
IsolatedStorageSettings.ApplicationSettings.Add("username", username);
IsolatedStorageSettings.ApplicationSettings.Add("password", password.ToString());
}
To retrieve:
string username = IsolatedStorageSettings.ApplicationSettings["username"];
string password = IsolatedStorageSettings.ApplicationSettings["password"];
Related
In a Windows desktop (C# / WPF) application, I need to replace our own user authentication with one using Windows authentication.
I've figured out how to do a login using Interop and calling LogonUser() and to discover if the user is in a given role:
bool isValid = LogonUser(userName, domain, password, 2, 0, ref tokenHandler);
WindowsIdentity windowsIdentity = new WindowsIdentity(tokenHandler);
WindowsPrincipal windowsPrincipal = new WindowsPrincipal(windowsIdentity);
bool inRole = windowsPrincipal.IsInRole("Everyone");
Is it possible to get a list of all users, the roles they belong to and ideally be able to change their passwords from with the application (I doubt this will be possible).
I need to use Windows authentication in my Xamarin UWP app. How can i access currently logged-in user details in the app. Need to retrieve user Active Directory login ID who currently logged in Windows.
I already tried below solution and it gives empty results for me.
How can I get username or id of currently logged in user in UWP App
Appreciate your help....
Here's a UWP sample that uses ADAL. ADAL.NET does not expose directly the notion of user from an authentication context. It does provide a UserInfo, as a property of the AuthenticationResult. When you get back the auth result, you can use the UserInfo property to get the Displayable ID of the signed in user.
Here's more from the ADAL wiki.
If you have not add User Account Information capability to your app in the Package.appxmanifest, you will not have permission to access user account info.
For other reasons, if you authinticated using hotmail, you need KnownUserProperties.FirstName and KnownUserProperties.LastName to get your account name.
private async void GetUser()
{
IReadOnlyList<User> users = await User.FindAllAsync();
var current = users.Where(p => p.AuthenticationStatus == UserAuthenticationStatus.LocallyAuthenticated &&
p.Type == UserType.LocalUser).FirstOrDefault();
// user may have username
var data = await current.GetPropertyAsync(KnownUserProperties.AccountName);
string displayName = (string)data;
// authinticated using hotmail
if (String.IsNullOrEmpty(displayName))
{
string a = (string)await current.GetPropertyAsync(KnownUserProperties.FirstName);
string b = (string)await current.GetPropertyAsync(KnownUserProperties.LastName);
displayName = string.Format("{0} {1}", a, b);
}
}
Please note the above code only works in UWP native project, and it can't be used directly in the pcl, you need to create GetUser method via DependencyService.
Update
If you have authorized with ADAL, you could use AcquireTokenSilentAsync method get info from token cache silently, for more refer this.
This is fairly simple. You should do it at the platform specific level, using Windows.System.User, To retrieve the current user's information. Here is a post which describes detaily how to accomplish this.
I've been looking for a solution on how to make the user logout and still be able to login using different email account. Currently, it automatically signs in the first account that you've entered.
My source: http://blogs.msdn.com/b/shelly_guos_ms_blog/archive/2011/09/20/get-started-on-live-sdk-for-windows-phone.aspx
Make sure you don't use "wl.signin" in your scopes. If you have been testing your app with this in, go into your account preferences for your live account and remove this option from the app's access.
This will now allow more than one user to sign in.
private LiveAuthClient authClient;
private void PhoneApplicationPage_Loaded_1(object sender, RoutedEventArgs e)
{
this.authClient = new LiveAuthClient("yourclientidhere");
}
then you can call this.authClient.Logout(); when you want to change users.
which would be the best way to encrypt the connection string for SQL SErver CE (Local Database) or the password-connection for a windows phone app? because if you have it in plain text, example:
"Data Source='isostore:/database.sdf';Password='mypassword';"
is vulnerable if anyone decompiles your app.
But if I have the encrypted password in a file (stored in isolatedstorage) may also be vulnerable if someone decompiles the app because he can see the code to decrypt.
Another way would be encrypt with a key that is not stored. The problem is that I dont want that the user enter each time the pin or password to access.....and if he forgets his pin or key can not access your private data.
The data contained in the database are of basic type (contacts, tasks, ...). Data are not high risk or condifential...
Any idea?
This recent question contains lots of helpful suggestions - How can I securely embed a static string (key) in C#?
However, for accessing a local database, then I'm not sure you need this security at all - I think the WP7 sandbox will keep your database safe from other apps.
There is always a security risk if you have got sensitive data stored locally on the phone, there are a few ways to mitigate this.
i) Use the built in ProtectedData.Protect which is built into the phone, with no additional entropy data - this would encrypt the data, and the user would not need to enter anything
ii) again use ProtectedData.Protect but get the user to enter a password and use that as the additional entropy value, but as you say if they forget the password you cannot get the data back
iii) Store the data in a cloud based service and get the app to retrieve the details as required.
Hope this helps.
The only way to not have a password on the phone (even in an obfuscated form) is to retrieve this from a remote/web server when first needed and then store on the device use the ProtectedData class.
Is there any API to get the currently logged in user's name and password in Windows?
Thank you in advance.
Password: No, this is not retained for security reasons - it's used, then discarded. You could retrieve the encrypted password for this user from the registry, given sufficient privileges, then decrypt it using something like rainbow tables, but that's extremely resource intensive and time consuming using current methods. Much better to prompt the user.
Alternatively, if you want to implement some sort of 'single signon' system as Novell does, you should do it via either a GINA (pre-Vista) or a Credential Provider (Vista), which will result in your code being given the username and password at login, the only time at which the password is available.
For username, getting the current username (the one who is running your code) is easy: the GetUserName function in AdvApi32.dll does exactly this for you.
If you're running as a service, you need to remember there is no one "logged in user": there are several at any time, such as LocalSystem, NetworkService, SYSTEM and other accounts, in addition to any actual people. This article provides some sample code and documentation for doing that.
For the many commenters who believe it is not possible to reveal the password of the currently logged-in user, see Dump cleartext passwords of logged in user(s) which shows how to use mimikatz to do just that:
mimikatz # privilege::debug
Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK
mimikatz # sekurlsa::logonPasswords full
...
Utilisateur principal : user
Domaine d'authentification : domain
kerberos :
* Utilisateur : user
* Domaine : domain
* Mot de passe : pass
I'd consider it a huge security flaw if that were possible!
You can't get the password of a user since its encrypted (not to mention that its a standard practice not to store passwords in plaintext).
For getting the username, you can use GetUserName or NPGetUser
Note sure how it is done, but "Network Password Recovery" tool from http://www.nirsoft.net/utils/network_password_recovery.html seems to get the password from some cache.
GetUserName will get you the name, but the password you can't get. It's not even something Windows stores, AFAIK - only a hash of your password.
Depending on what you're trying to achieve (you can tell us a bit more..) it's possible to impersonate a logged on user and do stuff on his/her behalf.
Full details of Authentication in the Windows API can be found on MSDN:
http://msdn.microsoft.com/en-us/library/aa374735(VS.85).aspx
I don't know about the windows login password... but you can definitely pull plaintext passwords from the Credentials Manager. For example here is a program to pull the password for TFS. In most cases, this is the same as the Windows Login.
namespace ShowPassword
{
using Microsoft.TeamFoundation.Client;
using System;
using System.Net;
class Program
{
static void Main(string[] args)
{
var tpc = new TfsTeamProjectCollection(new Uri("http://mycompany.com/tfs"));
var nc = tpc.Credentials as NetworkCredential;
Console.WriteLine("the password is " + nc.Password);
}
}
}
I compiled this as "console" app under vs 2015 with Nuget package TeamFoundation ExtendedClient.
You can get the user name with GetUserName(), but you cannot get the password; this would violate security for dummies 101.
re "Network Password Recovery" tool
Windows (upto XP) stores a copy of the passwd with a simpler easy to break encryption - for connecting to older style lanmanager network shares.
The tools generaly try all possible passwords against this, using rainbow tables (precaluted encrypted versions of dictionary words) speeds this up.
In XPsp2/3 Vista this feature is removed. The new encryption is much harder to crack and needs many hours to try all possible values, there are online services that will run it on large number of machines to give you a quick answer for a price.
To answer the original poster - you do not generally store the password and compare it with what the user typd in. You encrypt (actually hash) the entered password and store that. To check a password you perform the same encryption on whatever the user enetered and compare that. It is generally impossible to go from the encrypted form back to the real password.
EDIT I suspect you are asking the wrong question here - why do you want the password, what are you trying to verify and when?