RE: Password Hiding

From: Dimitris Petropoulos (D.Petropoulos_at_encode-sec.com)
Date: 07/30/03

  • Next message: Andrew van der Stock: "RE: Password Hiding"
    Date: Wed, 30 Jul 2003 09:32:26 +0300
    To: "pablo gietz" <pablo.gietz@nuevobersa.com.ar>
    
    

    Pablo,

    I can see two options regarding this:

    1. Hardcode the password in the application source code. This makes it slightly more difficult to find (assuming one makes the effort to hide it a bit better rather than having a single string with the password that can be found with any hex editor) but each time you need to change the password you'd need to change the source code.
    2. Save the password in a configuration file and let the application pick it up from there. The permissions on the configuration file should be such that only the application can access it. Needless to say this scheme does not prevent administrators, etc. from accessing the password and also assumes good physical security for the box the application is deployed on.

    Best regards,

    -----------------------
    Dimitrios Petropoulos
    MSc InfoSec, CISSP

    Director, Security Research & Development
     
    ENCODE S.A.
    3, R.Melodou Str
    151 25 Marousi
    Athens, Greece
    Tel: +30210-6178410
    Fax: +30210-6109579
    web: www.encode-sec.com
    ------------------------

    > -----Original Message-----
    > From: pablo gietz [mailto:pablo.gietz@nuevobersa.com.ar]
    > Sent: Tuesday, July 29, 2003 9:14 PM
    > To: secprog
    > Subject: Password Hiding
    >
    >
    > Hi all
    > This is my first post,
    > What can I do to hide a password that is used to
    > encrypt-decrypt a config.file? . Where to save the password?.
    > The program must run without user intervention and use this
    > password to access that file.
    >
    > Language: Delphi
    >
    > Platform: windows
    >
    > Thanks
    >
    > --
    > Pablo A. C. Gietz
    > Jefe de Seguridad Informática
    > Nuevo Banco de Entre Ríos S.A.
    > Te.: 0343 - 4201351
    >
    >
    > La información y archivos contenidos en este mensaje son
    > confidenciales y para utilización exclusiva de los
    > destinatarios consignados. Si Usted no reviste ese carácter,
    > no se encuentra autorizado para divulgar, copiar,distribuir o
    > retener todo o parte de la informacion y archivos, y deberá
    > notificarlo de inmediato al remitente y eliminarlo de su
    > sistema. Muchas gracias.
    >
    >
    >

    ******************************************************************
    Any views expressed in this message are those of the
    individual sender, except where the sender specifically
    states them to be the views of ENCODE S.A.
    ******************************************************************


  • Next message: Andrew van der Stock: "RE: Password Hiding"