I am writing code that needs to access a password protected network resource. I was wondering would it be safe to embed the password in the code? Would it be hard to deduce the password from the exe. I know that the code has to be recompiled if the password is changed, but that is not a problem.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Embedded Password
- Thread starter nerram
- Start date
Cagliostro
Programmer
You should put passwords in files. Passwords should be encrypted. When use enter some password, you will encrypt it and will compare with the encrypted one from file. For encryption should be used an algorithm which does not have possibility of decoding. For example you could use algorithm MD5, which is encrypt-only. Never hard code the password in the program.
Ion Filipski
ICQ: 95034075
AIM: IonFilipski
filipski@excite.com
Ion Filipski
ICQ: 95034075
AIM: IonFilipski
filipski@excite.com
- Thread starter
- #3
The user has no password input into this program it must connect transparently to the user. If I store the password (encrptyed) in a file and the the exe stores the (public) key, could some malicous person having full access to the exe and text file deduce the password.
Cagliostro
Programmer
I said, there is no (public) key. I said, MD5 is encription-only algorithm. MD5 has no encription key. It is something like encript password with its checksum, but much more complicated. You can not deduce originaly information by knowing encription algorithm. In the case you are afraid of malicous person, user must enter password manually and program should do like I said. malicous person could just debug your program to hack the password. It is the most used method by crackers.
Ion Filipski
ICQ: 95034075
AIM: IonFilipski
filipski@excite.com
Ion Filipski
ICQ: 95034075
AIM: IonFilipski
filipski@excite.com
Zyrenthian
Programmer
Hardcoding a password is NOT the way to go... a simple hex editor can reveal it. If you were to hard code it and not encrypt it, I would at least apply some bit shifting AND possibly assembling the password by calling multiple functions so the information is not all contained in one buffer.
Matt
Matt
Cagliostro
Programmer
assembling the password by calling multiple functions means it anyway will collect the final password in sime final variable and/or somewhere in the memory. That means an experienced programmer can debug your code in assemply mode and to crack that password. Hard coding passwords you can use in organization where you know, there are only lammers, middle users, advanced users, but you are sure there are no malicious people or experienced programmers which are very tented to crack your password, for some hidden reasons or just for "sportive interests".
Ion Filipski
ICQ: 95034075
AIM: IonFilipski
filipski@excite.com
Ion Filipski
ICQ: 95034075
AIM: IonFilipski
filipski@excite.com
- Thread starter
- #7
Cagliostro
Programmer
user enter password, application encripts that password and compare it with the encripetd one, which is stored in a file or a database.
Ion Filipski
ICQ: 95034075
AIM: IonFilipski
filipski@excite.com
Ion Filipski
ICQ: 95034075
AIM: IonFilipski
filipski@excite.com
- Thread starter
- #9
Cagliostro
Programmer
if user is not allowed to enter a password then your application is unsecured and dangerous in use. In this case, you have no choice, just hardcode your password, or put it in some place, for example in an configuration file or in windows registry. Anyway, your application will be unsecured.
Ion Filipski
ICQ: 95034075
AIM: IonFilipski
filipski@excite.com
Ion Filipski
ICQ: 95034075
AIM: IonFilipski
filipski@excite.com
- Status
Similar threads
- Locked
- Question