ansaurus

Question

Answer 1

+3 A:

You could store the hash (MD5 / SHA1) of the password instead and compare this with the hash of the supplied passwords.

Make sure you calculate the hash externally to avoid having the original password mentioned anywhere in the executable.

Jeff Foster 2009-12-31 17:23:05

Just a little extra note - look at performing hashes / digests with the Java Cryptograpy Architecture http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#MessageDigest

Matt 2009-12-31 17:28:32

You contradicted yourself. In para #1, you say store the hash. In para #2, you say calculate the hash.

GregS 2009-12-31 17:39:03

@GregS: There is no contradiction here. At build time you calculate the hash from a file or other source not part of the source code, and generate code from that calculation which stores only the hash in the executable. The at run time you calculate the hash of the user input and compare that to the correct hash stored in the program (probably in the data segment).

dmckee 2009-12-31 18:07:35

@Gregs - It says "calculate the hash *externally*", and by that I mean use another tool outside of the source code to generate the hash. If you've any suggestion how to word it better, I'm open to offers!

Jeff Foster 2009-12-31 18:21:06

@dmckee: Thank you, I misunderstood that. Even so, I maintain my claim stated below.

GregS 2009-12-31 18:22:52

Answer 2

+1 A:

Use a function that hashes the password - keep the hash of a password in the source, not the password itself.

A quote from that page:

A related application is password verification. Passwords are usually not stored in cleartext, for obvious reasons, but instead in digest form. To authenticate a user, the password presented by the user is hashed and compared with the stored hash. This is sometimes referred to as one-way encryption.

Eli Bendersky 2009-12-31 17:23:10

Answer 3

A:

If you are storing the application on the user's mobile device, the best you can do is try to obscure the password. I would recommend doing some sort of hashing algorithm (maybe SHA1) or a key derivation algorithm like PBKDF2 and storing the result rather than comparing against the plaintext password.

avpx 2009-12-31 17:24:04

Answer 4

+5 A:

As other have said. Store the hash, though you still need to use a strong password or an automated guesser will find the one you're using.

But, be warned:

If your attacker has access to the source code he/she/it can alter the stored password hash or just remove the password check.

So this method is of little use unless you can verify the integrity of the code being run, which is hard.

dmckee 2009-12-31 17:26:43

Answer 5

A:

Storing the hash instead the password buys you absolutely nothing. Since it is now the hash being used to authenticate instead of the password, reading the source code (or reversing the object code) will reveal the hash and allow the attacker to authenticate.

The answer to these questions is always the same. You can't achieve any measurable security if you use hard-coded client-side secrets no matter what you do. The best you can do is obfuscate enough until you get a warm fuzzy feeling that it is good enough.

GregS 2009-12-31 17:37:37

If user password input is hashed, knowing the desired hash does you absolutely no good (assuming the original password is "strong enough"). Saying "hashing buys you nothing" is simply false. If the user can Modify the code, you're obviously hosed, but just knowing the correct hash doesn't mean you can simply provide that, as you're implying.

Andrew Coleson 2009-12-31 17:42:50

The user can *always* modify the code running on their computer or appliance, and almost always very easily. Hashing buys you no measurable increase in security, only a non-measurable warm fuzzy feeling of false security.

GregS 2009-12-31 18:18:57

In compiled programs (which I guess would be a jar in javaese), it is slightly easier to read a plain text password than to locate the test and hack it out. A very modest defense suitable for kid sisters.

dmckee 2009-12-31 18:43:47

what are you talking about, GregS? given the hash of a password, if it's a good hash function, the attacker can not make up the password that will match this hash. This is how Unix stored its passwords for a long time (with the addition of salting, but that's not salient for this discussion)

Eli Bendersky 2009-12-31 18:46:33

@eli: True, I know that. Rereading the original code carefully instead of jumping to conclusions, I see my answer doesn't make sense. Instead of editing it, I leave it there as ignominious monument. The hash doesn't buy you anything in terms of keeping users besides "N0203251" from being able to derive the benefits of switchDisplayable(...), but not for the reasons I stated.

GregS 2009-12-31 19:16:15

Greg, what a great attitude, we all have our moments!

Duncan McGregor 2010-10-15 08:16:59

Answer 6

+2 A:

When it comes down to it, you've written a back door into the program. That's a Bad Thing - don't do it.

Like others have said, you can do better by using a hash, but a couple critical things are left out. When someone guesses the password, they'll know the password for every installed copy of your software. Since the password is hard coded, nobody will be able to change it or revoke it, so you'll have inserted a back door in the program that nobody can eliminate. And if you rely on that password ofr any communication with other resources, you can't ever change it - at least, not without significant additional work.

What you should really do is place the password in an external location, such as a hardware security module, or password file, or database table. Then, implement a full password change and rotation mechanism - honestly, this should be pretty much the same mechanism you use across all your passwords.

atk 2009-12-31 18:00:12

ansaurus

tags:

views:

answers:

Hide Password Content in Source Code

related questions