I'm creating a C# application that will lock out functionality (key combinations, windows task bar, etc.) in a Kiosk-style environment. One of the requirements is that some people should still be able to break out of the application using a key combination and a password.
The application itself is completely done, but I have not found a good way to store and check against a password. Everything should be stored locally (there is not check against a network database or whatever). How can I define a password for unlocking my application while also making this flexible (the ability to change the password without recompiling the application). How can I accomplish this in a secure way?
Store a secure hash of the password, it doesn't need to be reversible.
When someone enters a password you hash that by the same algorithm and check it matches the hash.
Because you never store the actual password it's secure.
I recommend using a key stretching algorithm like PBKDF2. .Net has support for this using Rfc2898DeriveBytes
or you can use System.Web.Helpers.Crypto
.