Menu
Supposing I have an important password somewhere in my program and I want to make it safer, ex:
ftp.password := 'mypassword';
About 8 years ago I use to 'crack stuff' for fun, so I found me stuff like that quite easily by using OllyDbg.
What I need to know is if there is a way to make this thing safe from prying eyes. I thought about storing the password directly into the component, but then again don't know if it would do any good.
926
Encryption is better than storing your password as plaintext but the only issue is that if a person have the cipher function/key he can decrypt it to get the plaintext. Encryption can be either symmetrical or asymmetrical types.
It is a standard practice to send "plain text" passwords over HTTPS via POST method. As we all know the communication between client-server is encrypted as per TLS, so HTTPS secures the password. The answer of above questions as follow:
I have a database which has stored procedures which take plaintext passwords. It hashes them and inserts them into the DB. If an attacker has access to the DB connection, it is possible to intercept calls to the DB using SQL Server Profiler and see the passed in plaintext passwords.
TLDR: As long as the network connection to the DB is secure, and as long as salted hashes are stored in your tables, calling a stored procedure with a plaintext password is fine.
Just don't do it. If you want to keep a password safe, don't put it in the program. You can ask the user for it if the program is interactive. If not, you should set up some kind of non-password-based authentication for the program to use.
If you must embed the password in the program, the rule is very simple -- never give the program to anyone who is not supposed to be able to do anything the password allows them to do.
178
Whilst the answer that you just shouldn't do this is correct, in practise there are occasions when the real world forces you hand. In the one or two instances where I've been forced into something like the approach I've used is to code a function that will generate a known password from scratch using some mathematical formula - for instance the first letter of the English words for the first 8 digits of PI in reverse order. Of course this can still be cracked, but it makes the task a little harder and should discourage casual browsers.
Of course if you're really using FTP (not SFTP) you're passing the password in plain text across the network anyway. I'd be more concerned with that initially - it's a much more obvious attack vector.
26
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
