RE: Password Hiding

From: Dimitris Petropoulos (D.Petropoulos@encode-sec.com)
Date: Tue Jul 29 2003 - 23:32:26 PDT

Next message: Andrew van der Stock: "RE: Password Hiding"

Previous message: Qin An: "[Q] cksum of UDP packet"
Maybe in reply to: pablo gietz: "Password Hiding"
Next in thread: Larry Reedy: "RE: Password Hiding"
Next in thread: Andrew van der Stock: "RE: Password Hiding"
Reply: Larry Reedy: "RE: Password Hiding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Pablo,

I can see two options regarding this:

1. Hardcode the password in the application source code. This makes it slightly more difficult to find (assuming one makes the effort to hide it a bit better rather than having a single string with the password that can be found with any hex editor) but each time you need to change the password you'd need to change the source code. 
2. Save the password in a configuration file and let the application pick it up from there. The permissions on the configuration file should be such that only the application can access it. Needless to say this scheme does not prevent administrators, etc. from accessing the password and also assumes good physical security for the box the application is deployed on.

Best regards,

-----------------------
Dimitrios Petropoulos
MSc InfoSec, CISSP

Director, Security Research & Development
 
ENCODE S.A.
3, R.Melodou Str
151 25 Marousi
Athens, Greece
Tel: +30210-6178410
Fax: +30210-6109579
web: www.encode-sec.com
------------------------



> -----Original Message-----
> From: pablo gietz [mailto:pablo.gietzat_private] 
> Sent: Tuesday, July 29, 2003 9:14 PM
> To: secprog
> Subject: Password Hiding
> 
> 
> Hi all
> This is my first post,
> What can I do to hide a password that is used to 
> encrypt-decrypt a config.file? . Where to save the password?. 
> The program must run without user intervention and use this 
> password to access that file.
> 
> Language: Delphi
> 
> Platform: windows
> 
> Thanks
> 
> --
> Pablo A. C. Gietz
> Jefe de Seguridad Informática
> Nuevo Banco de Entre Ríos S.A.
> Te.: 0343 - 4201351
> 
> 
> La información y archivos contenidos en este mensaje son 
> confidenciales y para utilización exclusiva de los 
> destinatarios consignados. Si Usted no reviste ese carácter, 
> no se encuentra autorizado para divulgar, copiar,distribuir o 
> retener todo o parte de la informacion y archivos, y deberá 
> notificarlo de inmediato al remitente y eliminarlo de su 
> sistema. Muchas gracias.
> 
> 
> 


******************************************************************
Any views expressed in this message are those of the
individual sender, except where the sender specifically
states them to be the views of ENCODE S.A.
******************************************************************

Next message: Andrew van der Stock: "RE: Password Hiding"
Previous message: Qin An: "[Q] cksum of UDP packet"
Maybe in reply to: pablo gietz: "Password Hiding"
Next in thread: Larry Reedy: "RE: Password Hiding"
Next in thread: Andrew van der Stock: "RE: Password Hiding"
Reply: Larry Reedy: "RE: Password Hiding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 30 2003 - 07:55:30 PDT