DISCLAIMER: This example (actually every example on the VB Helper Web site but this one in particular) is provided as-is with no warranty. It is provided for instructional purposes and all that legal stuff that basically means if you use this program to store real passwords you're risking giving cyber-bandidos access to your checking account. You'd better read through the code and make sure it's secure code before you use it.

This is a fairly complex application so I won't describe it all here. See the code for the details.

I was looking at a "My Favorite Windows Applications" sort of article the other day. One of them was a password manager. You remember a single well-chosen password and then the password manager stores passwords for all of the myriad Web sites, legacy systems, and other places where you need a password.

The result is that you can spend some extra though picking a really good master password that you can remember and then let the program store separate really cryptic passwords for each of the applications where you need one.

This isn't all that hard an application to build so I thought I would give it a shot. Please let me know if you see any holes in the security of this program. Getting hole plugged in a secure applcation is tricky.

The program uses a set of functions to convert between plaintext and ciphertext, and between arrays of bytes and textual representations. (Yes, I know you could just keep the encrypted values in byte form but I like to work with strings. This method should only slow things down a little.) Those functions use methods provided by the .NET Cryptography API. See the notes at the end for a list of the cryptographic objects it uses.

The program stores the master password and a salt value in the Registry. (A "salt" is a set of extra random bytes used to make it harder for an attacker to build a dictionary of decoded values. Essentially it means the attacker would need a dictionary for each salt value. Whenever this program saves an encrypted value, it generates a random salt (using an RNGCryptoServiceProvider object), uses it in the encryption, and saves the encrypted value and its salt.)

When the program loads, it asks for the master password. If you enter it correctly, the program uses it to load your saved passwords from the Registry.

For each saved password, the program reads its salt value from the Registry. It then uses the master password together with that salt to decrypt the sdaved password.

The program similarly saves each password's name (so you know what Web site or whatnot it is for) and the date it was last changed (so you can make new ones every now and then).

Click a password's Copy button to copy the password to the Clipboard so you can paste it onto a Web page. Click its New button to open the New Password dialog.

To change a password, you can simply type in a new value or you ca nuse the New Password form. That form lets you specify what characters are allowed (letters, numbers, special characters, etc.), which are required, and how long the password should be. It can then generate random passwords for you. Because you (in theory) can get these passwords back from the program, you don't need to remember them so you can use the ugly random results it generates.

There are still features you could add. For example, you could make it schedule passwords for expiration. Now it just tells you when a password was changed and lets you notice that it's been 4 years since you changed your Facebook password.

Notes

The program uses these cryptographic objects:

• RNGCryptoServiceProvider to generate random numbers such as salts and random passwords.
• Rfc2898DeriveBytes to generate keys and initialization vectors from passwords and salts.
• TripleDESCryptoServiceProvider to encrypt and decrypt.