RE: Password Hiding
From: Larry Reedy (lreedy_at_engage-now.com)
Date: 07/30/03
- Previous message: Andrew van der Stock: "RE: Password Hiding"
- In reply to: Dimitris Petropoulos: "RE: Password Hiding"
- Next in thread: Andrew van der Stock: "RE: Password Hiding"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Jul 2003 11:10:23 -0400 (EDT) To: <D.Petropoulos@encode-sec.com>
It has been my understanding that if you hardcode passwords, keys, etc in
source code that a hacker would only need to attach a debugger to the
software to figure out what they are. If the users password is associated
with the system logon and the user has administrator rights on a domain
then this could seriously compromise an entire network.
-Larry
> Pablo,
>
> I can see two options regarding this:
>
> 1. Hardcode the password in the application source code. This makes it
> slightly more difficult to find (assuming one makes the effort to hide
> it a bit better rather than having a single string with the password
> that can be found with any hex editor) but each time you need to change
> the password you'd need to change the source code. 2. Save the password
> in a configuration file and let the application pick it up from there.
> The permissions on the configuration file should be such that only the
> application can access it. Needless to say this scheme does not prevent
> administrators, etc. from accessing the password and also assumes good
> physical security for the box the application is deployed on.
>
> Best regards,
>
> -----------------------
> Dimitrios Petropoulos
> MSc InfoSec, CISSP
>
> Director, Security Research & Development
>
> ENCODE S.A.
> 3, R.Melodou Str
> 151 25 Marousi
> Athens, Greece
> Tel: +30210-6178410
> Fax: +30210-6109579
> web: www.encode-sec.com
> ------------------------
>
>
>
>> -----Original Message-----
>> From: pablo gietz [mailto:pablo.gietz@nuevobersa.com.ar]
>> Sent: Tuesday, July 29, 2003 9:14 PM
>> To: secprog
>> Subject: Password Hiding
>>
>>
>> Hi all
>> This is my first post,
>> What can I do to hide a password that is used to
>> encrypt-decrypt a config.file? . Where to save the password?.
>> The program must run without user intervention and use this
>> password to access that file.
>>
>> Language: Delphi
>>
>> Platform: windows
>>
>> Thanks
>>
>> --
>> Pablo A. C. Gietz
>> Jefe de Seguridad Informática
>> Nuevo Banco de Entre Ríos S.A.
>> Te.: 0343 - 4201351
>>
>>
>> La información y archivos contenidos en este mensaje son
>> confidenciales y para utilización exclusiva de los
>> destinatarios consignados. Si Usted no reviste ese carácter,
>> no se encuentra autorizado para divulgar, copiar,distribuir o
>> retener todo o parte de la informacion y archivos, y deberá
>> notificarlo de inmediato al remitente y eliminarlo de su
>> sistema. Muchas gracias.
>>
>>
>>
>
>
> ****************************************************************** Any
> views expressed in this message are those of the
> individual sender, except where the sender specifically
> states them to be the views of ENCODE S.A.
> ******************************************************************
- Previous message: Andrew van der Stock: "RE: Password Hiding"
- In reply to: Dimitris Petropoulos: "RE: Password Hiding"
- Next in thread: Andrew van der Stock: "RE: Password Hiding"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
