RE: Password Hiding

From: Larry Reedy (lreedy_at_engage-now.com)
Date: 07/30/03

  • Next message: crawford charles: "Re: FW: [Q] cksum of UDP packet"
    Date: Wed, 30 Jul 2003 11:10:23 -0400 (EDT)
    To: <D.Petropoulos@encode-sec.com>
    
    

    It has been my understanding that if you hardcode passwords, keys, etc in
    source code that a hacker would only need to attach a debugger to the
    software to figure out what they are. If the users password is associated
    with the system logon and the user has administrator rights on a domain
    then this could seriously compromise an entire network.

    -Larry

    > Pablo,
    >
    > I can see two options regarding this:
    >
    > 1. Hardcode the password in the application source code. This makes it
    > slightly more difficult to find (assuming one makes the effort to hide
    > it a bit better rather than having a single string with the password
    > that can be found with any hex editor) but each time you need to change
    > the password you'd need to change the source code. 2. Save the password
    > in a configuration file and let the application pick it up from there.
    > The permissions on the configuration file should be such that only the
    > application can access it. Needless to say this scheme does not prevent
    > administrators, etc. from accessing the password and also assumes good
    > physical security for the box the application is deployed on.
    >
    > Best regards,
    >
    > -----------------------
    > Dimitrios Petropoulos
    > MSc InfoSec, CISSP
    >
    > Director, Security Research & Development
    >
    > ENCODE S.A.
    > 3, R.Melodou Str
    > 151 25 Marousi
    > Athens, Greece
    > Tel: +30210-6178410
    > Fax: +30210-6109579
    > web: www.encode-sec.com
    > ------------------------
    >
    >
    >
    >> -----Original Message-----
    >> From: pablo gietz [mailto:pablo.gietz@nuevobersa.com.ar]
    >> Sent: Tuesday, July 29, 2003 9:14 PM
    >> To: secprog
    >> Subject: Password Hiding
    >>
    >>
    >> Hi all
    >> This is my first post,
    >> What can I do to hide a password that is used to
    >> encrypt-decrypt a config.file? . Where to save the password?.
    >> The program must run without user intervention and use this
    >> password to access that file.
    >>
    >> Language: Delphi
    >>
    >> Platform: windows
    >>
    >> Thanks
    >>
    >> --
    >> Pablo A. C. Gietz
    >> Jefe de Seguridad Informática
    >> Nuevo Banco de Entre Ríos S.A.
    >> Te.: 0343 - 4201351
    >>
    >>
    >> La información y archivos contenidos en este mensaje son
    >> confidenciales y para utilización exclusiva de los
    >> destinatarios consignados. Si Usted no reviste ese carácter,
    >> no se encuentra autorizado para divulgar, copiar,distribuir o
    >> retener todo o parte de la informacion y archivos, y deberá
    >> notificarlo de inmediato al remitente y eliminarlo de su
    >> sistema. Muchas gracias.
    >>
    >>
    >>
    >
    >
    > ****************************************************************** Any
    > views expressed in this message are those of the
    > individual sender, except where the sender specifically
    > states them to be the views of ENCODE S.A.
    > ******************************************************************


  • Next message: crawford charles: "Re: FW: [Q] cksum of UDP packet"

    Relevant Pages

    • cant load platform defination ti.platforms.generic
      ... When I was trying to produce a BIOS configure file in text mode, ... I've tried many times and have checked my source code with the manual to ... Text configuration file for tokliBIOS ... var params = new Object; ...
      (comp.dsp)
    • Reducing dependencies when initializing Log4perl?
      ... My goal is to have zero dependencies in my source code to artifacts ... such as configuration file locations or package names. ... MyLogWrapper is the only class that knows where the config file is, ...
      (comp.lang.perl.misc)
    • Re: OSDK Version 0.013
      ... Edit the source code to make it compatible with XA: ... the configuration file. ... I do use the OSDK when developing C programs, ... assembly programs, I still have the reflex to use the Frankenstein ...
      (comp.sys.oric)