RE: Password Hiding

From: Larry Reedy (lreedy_at_engage-now.com)
Date: 07/30/03

  • Next message: crawford charles: "Re: FW: [Q] cksum of UDP packet"
    Date: Wed, 30 Jul 2003 11:10:23 -0400 (EDT)
    To: <D.Petropoulos@encode-sec.com>
    
    

    It has been my understanding that if you hardcode passwords, keys, etc in
    source code that a hacker would only need to attach a debugger to the
    software to figure out what they are. If the users password is associated
    with the system logon and the user has administrator rights on a domain
    then this could seriously compromise an entire network.

    -Larry

    > Pablo,
    >
    > I can see two options regarding this:
    >
    > 1. Hardcode the password in the application source code. This makes it
    > slightly more difficult to find (assuming one makes the effort to hide
    > it a bit better rather than having a single string with the password
    > that can be found with any hex editor) but each time you need to change
    > the password you'd need to change the source code. 2. Save the password
    > in a configuration file and let the application pick it up from there.
    > The permissions on the configuration file should be such that only the
    > application can access it. Needless to say this scheme does not prevent
    > administrators, etc. from accessing the password and also assumes good
    > physical security for the box the application is deployed on.
    >
    > Best regards,
    >
    > -----------------------
    > Dimitrios Petropoulos
    > MSc InfoSec, CISSP
    >
    > Director, Security Research & Development
    >
    > ENCODE S.A.
    > 3, R.Melodou Str
    > 151 25 Marousi
    > Athens, Greece
    > Tel: +30210-6178410
    > Fax: +30210-6109579
    > web: www.encode-sec.com
    > ------------------------
    >
    >
    >
    >> -----Original Message-----
    >> From: pablo gietz [mailto:pablo.gietz@nuevobersa.com.ar]
    >> Sent: Tuesday, July 29, 2003 9:14 PM
    >> To: secprog
    >> Subject: Password Hiding
    >>
    >>
    >> Hi all
    >> This is my first post,
    >> What can I do to hide a password that is used to
    >> encrypt-decrypt a config.file? . Where to save the password?.
    >> The program must run without user intervention and use this
    >> password to access that file.
    >>
    >> Language: Delphi
    >>
    >> Platform: windows
    >>
    >> Thanks
    >>
    >> --
    >> Pablo A. C. Gietz
    >> Jefe de Seguridad Informática
    >> Nuevo Banco de Entre Ríos S.A.
    >> Te.: 0343 - 4201351
    >>
    >>
    >> La información y archivos contenidos en este mensaje son
    >> confidenciales y para utilización exclusiva de los
    >> destinatarios consignados. Si Usted no reviste ese carácter,
    >> no se encuentra autorizado para divulgar, copiar,distribuir o
    >> retener todo o parte de la informacion y archivos, y deberá
    >> notificarlo de inmediato al remitente y eliminarlo de su
    >> sistema. Muchas gracias.
    >>
    >>
    >>
    >
    >
    > ****************************************************************** Any
    > views expressed in this message are those of the
    > individual sender, except where the sender specifically
    > states them to be the views of ENCODE S.A.
    > ******************************************************************


  • Next message: crawford charles: "Re: FW: [Q] cksum of UDP packet"