>>The known string that Dragan refers to is often the hash of the password itself. The user then supplies the password, it gets hashed, and then the hash is compared with the stored hash of the password. If the hashes match then the password is ok. The VFP encryption library from Craig includes hashing functions. The hash is not reversible back to the original password.
>
>Jos,
>
>Thanks for the reply! Hashing is a great idea.
>
>My problem is that keys is generated outside of the application. I'll need a way to verify the validity of the keys generated. I need to give it more thoughts.

It's still simple, Dawa. The key is generated wherever and entered into the system where it is stored as a hash (not the original password itself) in a table or other file. The hash cannot be reversed back to the original password. Now in the future you just compare hashes and not the passwords themselves.

Hashes can be attacked by brute force however by trying every password combination to find a matching hash. The defense to this is strong passwords employing at a minimum 7 chars using alpha-numerics, upper and lower case letters, and some special chars like !@#$% etc. One can also encrypt the table that holds the hash using an internal password.

However, even when you apply all the defences above you then need to worry about someone reverse engineering your application code. So you need to defend the exe itself using tools like Thinstall, Molebox, Refox, Armadillo, etc.