Hi Kees,
On Wednesday 04 May 2005 12:43, Alexandre Julliard wrote:
Of course it would be even better to do true encryption with a hardcoded key; it still doesn't provide any security, but it's much closer to the desired end result, which makes it more likely that someone will be able to plug in the missing step.
Ok, I see.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/s...
gives a pretty good introduction on how to derive a key from a password using CryptoAPI. You should hash the following: 1.) A placeholder for the user's login password, 2.) the pszDescription parameter (if present) and 3.) the pEntropy (if present).
If you apply the user's login name as the placeholder for 1.) you are even closer to Windows in the sense that one user can't decrypt another users DATA_BLOB's. (Well, he can of course. But only with some hacking involved.)
Bye,