Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Making a 'plaintext' string safe from cracking?

Supposing I have an important password somewhere in my program and I want to make it safer, ex:

ftp.password := 'mypassword';

About 8 years ago I use to 'crack stuff' for fun, so I found me stuff like that quite easily by using OllyDbg.

What I need to know is if there is a way to make this thing safe from prying eyes. I thought about storing the password directly into the component, but then again don't know if it would do any good.

like image 926
John Rosenberg Avatar asked Dec 01 '11 18:12

John Rosenberg


People also ask

Is encryption better than storing your password as plaintext?

Encryption is better than storing your password as plaintext but the only issue is that if a person have the cipher function/key he can decrypt it to get the plaintext. Encryption can be either symmetrical or asymmetrical types.

Is it safe to send plain text passwords over HTTPS?

It is a standard practice to send "plain text" passwords over HTTPS via POST method. As we all know the communication between client-server is encrypted as per TLS, so HTTPS secures the password. The answer of above questions as follow:

Is it possible to see what is passed in plaintext passwords?

I have a database which has stored procedures which take plaintext passwords. It hashes them and inserts them into the DB. If an attacker has access to the DB connection, it is possible to intercept calls to the DB using SQL Server Profiler and see the passed in plaintext passwords.

Can I call a stored procedure with a plaintext password?

TLDR: As long as the network connection to the DB is secure, and as long as salted hashes are stored in your tables, calling a stored procedure with a plaintext password is fine.


2 Answers

Just don't do it. If you want to keep a password safe, don't put it in the program. You can ask the user for it if the program is interactive. If not, you should set up some kind of non-password-based authentication for the program to use.

If you must embed the password in the program, the rule is very simple -- never give the program to anyone who is not supposed to be able to do anything the password allows them to do.

like image 178
David Schwartz Avatar answered Sep 23 '22 11:09

David Schwartz


Whilst the answer that you just shouldn't do this is correct, in practise there are occasions when the real world forces you hand. In the one or two instances where I've been forced into something like the approach I've used is to code a function that will generate a known password from scratch using some mathematical formula - for instance the first letter of the English words for the first 8 digits of PI in reverse order. Of course this can still be cracked, but it makes the task a little harder and should discourage casual browsers.

Of course if you're really using FTP (not SFTP) you're passing the password in plain text across the network anyway. I'd be more concerned with that initially - it's a much more obvious attack vector.

like image 26
Cruachan Avatar answered Sep 19 '22 11:09

Cruachan