Re: Standard way to remember passwords




"Arek Iskra [MVP]" <NoSpam_arek@xxxxxxxxxxxxx> wrote in message
news:%23YbaUz79FHA.3980@xxxxxxxxxxxxxxxxxxxxxxx
> "PGP" <priyesh_do_not_reply> wrote in message
> news:%23NDVBL49FHA.1484@xxxxxxxxxxxxxxxxxxxxxxx
>>
>> "Shenan Stanley" <newshelper@xxxxxxxxx> wrote in message
>> news:%23hZAcZ39FHA.2544@xxxxxxxxxxxxxxxxxxxxxxx
>>> PGP wrote:
>>>> I have a config utility that lets users change service params and
>>>> when it's time to apply changes, the user needs to supply his user
>>>> name and pass as the services are created under the user so that
>>>> user priviliges on certain resources would apply. I would like to
>>>> remember the user's password if he choses to do so in a secure
>>>> manner. Is this adviceable? If so, how is it done?
>>>
>>> There are several Password Manager products out there.
>>> Are you talking about them remembering what they used.. Or YOU
>>> remembering what they used?
>>>
>>> --
>>> Shenan Stanley
>>> MS-MVP
>>> --
>>> How To Ask Questions The Smart Way
>>> http://www.catb.org/~esr/faqs/smart-questions.html
>>>
>> The username and password used here would be the user's system login
>> credentials (for windows services). What i am trying to do is to find out
>> if there is a prefered way to save these so the user dont have to retype
>> them. So the answer would be me remembering the passswords.
>>
>>
>>
>
> I would not recommend this. I know it is more convenient, but it can lead
> to serious security breach. If you do that, anyone can power on the
> machine and impersonate another user, since the system will login
> automatically. How are you going to prove that the person who does
> something "mischievous" is the same person who is the owner/primary user
> of PC? Just a thought.
>
> --
> Arek Iskra
> MVP for Windows Server - Software Distribution
>
>

User will have to login into windows using standard windows login
procedures. The application does not do anything to make this automatic.
Only thing that i am deciding is about saving the user's login/pass as
encrypted registry entries. So far i have decided against it. (Little
annoyance to the user when he/she has to retype the pass everytime they make
a config change on the service.).


.