> At server side I use 
> the usercode to query a password database to retreive the password 
> and I compute the same hash code.
> use LogonUser API from advapi32.dll. 

> I don't have a password database. 

These statements seem contradictory to me, if you can compute the hash
from the database, you must be storing it clear (or so it can be decoded)
which you can use for the API?  

If you are worried about storing clear passwords in a database, assuming
this is a single server, you could use the Local Security Authority (LSA)
protected subsystem of Windows, saved in the registry under the protected
key: HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\.  This is where Windows
stores email, RAS and network passwords, I have some code that supports
this as part of my RAS component.


To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to