It has been my understanding that if you hardcode passwords, keys, etc in source code that a hacker would only need to attach a debugger to the software to figure out what they are. If the users password is associated with the system logon and the user has administrator rights on a domain then this could seriously compromise an entire network. -Larry > Pablo, > > I can see two options regarding this: > > 1. Hardcode the password in the application source code. This makes it > slightly more difficult to find (assuming one makes the effort to hide > it a bit better rather than having a single string with the password > that can be found with any hex editor) but each time you need to change > the password you'd need to change the source code. 2. Save the password > in a configuration file and let the application pick it up from there. > The permissions on the configuration file should be such that only the > application can access it. Needless to say this scheme does not prevent > administrators, etc. from accessing the password and also assumes good > physical security for the box the application is deployed on. > > Best regards, > > ----------------------- > Dimitrios Petropoulos > MSc InfoSec, CISSP > > Director, Security Research & Development > > ENCODE S.A. > 3, R.Melodou Str > 151 25 Marousi > Athens, Greece > Tel: +30210-6178410 > Fax: +30210-6109579 > web: www.encode-sec.com > ------------------------ > > > >> -----Original Message----- >> From: pablo gietz [mailto:pablo.gietzat_private] >> Sent: Tuesday, July 29, 2003 9:14 PM >> To: secprog >> Subject: Password Hiding >> >> >> Hi all >> This is my first post, >> What can I do to hide a password that is used to >> encrypt-decrypt a config.file? . Where to save the password?. >> The program must run without user intervention and use this >> password to access that file. >> >> Language: Delphi >> >> Platform: windows >> >> Thanks >> >> -- >> Pablo A. C. Gietz >> Jefe de Seguridad Informática >> Nuevo Banco de Entre Ríos S.A. >> Te.: 0343 - 4201351 >> >> >> La información y archivos contenidos en este mensaje son >> confidenciales y para utilización exclusiva de los >> destinatarios consignados. Si Usted no reviste ese carácter, >> no se encuentra autorizado para divulgar, copiar,distribuir o >> retener todo o parte de la informacion y archivos, y deberá >> notificarlo de inmediato al remitente y eliminarlo de su >> sistema. Muchas gracias. >> >> >> > > > ****************************************************************** Any > views expressed in this message are those of the > individual sender, except where the sender specifically > states them to be the views of ENCODE S.A. > ******************************************************************
This archive was generated by hypermail 2b30 : Wed Jul 30 2003 - 08:14:29 PDT