ansaurus

Question

Answer 1

+1 A:

See this SO post about how to encrypt and decrypt a string, in this case your password.

You should also consider obfuscating your code to make it difficult for people with appropriate tools to get the password by debugging your code.

Eric J. 2009-09-09 19:41:59

It is much easier to start a network sniffer like WireShark (http://www.wireshark.org/) and read the password directly from the wire after the application decrypted it.

Daniel Brückner 2009-09-09 19:50:40

Agree, I was looking at the question narrowly (guess I needed that 2nd cup of coffee after all). We use sftp for exactly that reason.

Eric J. 2009-09-09 20:53:16

Answer 2

+2 A:

You can use this to protect your plain text string from reflector like programs.

Eran Betzalel 2009-09-09 19:42:46

Has anyone else heard of this tool? I have an inherent distrust of running software I have never heard of (especially when it's hosted in Ukraine). This isn't listed on download.com. I would love to get some reliable references because that looks like a nice tool.

Eric J. 2009-09-09 19:47:47

Answer 3

+8 A:

FTP supports only plain text authentication - if you want to hide the password from attackers you have to use FTPS (FTP over SSL).

UPDATE

Don't care about hiding and obfuscating the password in your source code as a first step - your application will have to decrypt it and send it over the wire in plain text. Everyone can just start WireShark or any other packet sniffer and get the password back in plain text. First make sure that you don't send the password in plain text over a network, then start thinking about obfuscating it in your code.

UPDATE

Obfuscating the password in your code yields no security at all while you are sending it in plain text, but you can do so. Just encrypting the string adds one level of indirection. Without obfuscation I have to finde the password in your application and that's a matter of minutes with Reflector, with obfuscation I have to find the key, the encrypted password, and the encryption method. This will probably still take only minutes.

Using an obfuscator to prevent me from decompiling you application (into readable code) might stop me for a few hours until I find the relevant call into a system library function (but I wouldn't try, but only read the password from the wire ;).

So I suggest not to try to hard to obfuscate the password - the average user is probably unable to find a plain text password in a executable and people willing to find the password cannot be stopped by obfuscation. In this case the only way would be not to include the password in your application in the first place.

Daniel Brückner 2009-09-09 19:46:43

+1 - I thought we were only going to see answers here that dealt with obscuring the password in the .NET assembly.

JoshJordan 2009-09-09 19:48:16

this is correct i am not worried about sniffing right now but i will be thinking about this later

Crash893 2009-09-09 19:55:43

Answer 4

A:

Make your passwords and connection URLs configuration parameters, in a protected file. I uses INI files, and they are placed in a directory that is protected by the web server such that a browser can't open nor see the file/directory.

Jay 2009-09-09 19:49:06

I'm really looking for a in exe option but thanks

Crash893 2009-09-09 19:56:31

You can call a web service from an exe, which has the advantages of Jay's solution, without the need for a web application.

Michael Maddox 2009-09-12 11:35:56

ansaurus

tags:

views:

answers:

hide password in string

related questions