RE: Password Hiding
From: Dimitris Petropoulos (D.Petropoulos_at_encode-sec.com)
Date: 07/30/03
- Previous message: Qin An: "[Q] cksum of UDP packet"
- Maybe in reply to: pablo gietz: "Password Hiding"
- Next in thread: Larry Reedy: "RE: Password Hiding"
- Reply: Larry Reedy: "RE: Password Hiding"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Jul 2003 09:32:26 +0300 To: "pablo gietz" <pablo.gietz@nuevobersa.com.ar>
Pablo,
I can see two options regarding this:
1. Hardcode the password in the application source code. This makes it slightly more difficult to find (assuming one makes the effort to hide it a bit better rather than having a single string with the password that can be found with any hex editor) but each time you need to change the password you'd need to change the source code.
2. Save the password in a configuration file and let the application pick it up from there. The permissions on the configuration file should be such that only the application can access it. Needless to say this scheme does not prevent administrators, etc. from accessing the password and also assumes good physical security for the box the application is deployed on.
Best regards,
-----------------------
Dimitrios Petropoulos
MSc InfoSec, CISSP
Director, Security Research & Development
ENCODE S.A.
3, R.Melodou Str
151 25 Marousi
Athens, Greece
Tel: +30210-6178410
Fax: +30210-6109579
web: www.encode-sec.com
------------------------
> -----Original Message-----
> From: pablo gietz [mailto:pablo.gietz@nuevobersa.com.ar]
> Sent: Tuesday, July 29, 2003 9:14 PM
> To: secprog
> Subject: Password Hiding
>
>
> Hi all
> This is my first post,
> What can I do to hide a password that is used to
> encrypt-decrypt a config.file? . Where to save the password?.
> The program must run without user intervention and use this
> password to access that file.
>
> Language: Delphi
>
> Platform: windows
>
> Thanks
>
> --
> Pablo A. C. Gietz
> Jefe de Seguridad Informática
> Nuevo Banco de Entre Ríos S.A.
> Te.: 0343 - 4201351
>
>
> La información y archivos contenidos en este mensaje son
> confidenciales y para utilización exclusiva de los
> destinatarios consignados. Si Usted no reviste ese carácter,
> no se encuentra autorizado para divulgar, copiar,distribuir o
> retener todo o parte de la informacion y archivos, y deberá
> notificarlo de inmediato al remitente y eliminarlo de su
> sistema. Muchas gracias.
>
>
>
******************************************************************
Any views expressed in this message are those of the
individual sender, except where the sender specifically
states them to be the views of ENCODE S.A.
******************************************************************
- Previous message: Qin An: "[Q] cksum of UDP packet"
- Maybe in reply to: pablo gietz: "Password Hiding"
- Next in thread: Larry Reedy: "RE: Password Hiding"
- Reply: Larry Reedy: "RE: Password Hiding"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
