Peter Vertes wrote: > How about storing the key on a remote server ? When you need it you connect > to it get it. Or extending on this idea; you could store the key on a > remote server, when you need to authenticate you call the authentication > code on the remote server side and have it spit back a bool (true = user is > authenticated / false = user need to try again). I haven't actually > implemented this but in theory it should work.
You're still in an automated case. The code that calls the server is subject to snooping, and any authentication information would be contained within the code, so the bad guy could pick out that information and call the remote service manually to discover the key. Until you put a human (who isn't the person you're trying to prevent from snooping) is put in the loop, any data is snoopable with enough effort. Brad -- Read my web log at http://www.quality.nu/dotnetguy/ You can read messages from the DOTNET archive, unsubscribe from DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com.
