Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Prevent programmers from knowing passwords used at runtime

Tags:

security

passwords

My application connects to an FTP server with a username and password. I can create an encryption routine to encrypt and decrypt the password, but anybody with access to the source code and the encrypted password can decrypt the password.

Is there an easy way to prevent every human being from knowing the entire password used by an application? (I think it's okay if multiple people know part of the password.)

EDIT: I know FTP is not secure. Ideally, I'd like a technique that would work in any situation where a username and password are required (e.g. a database connection).

like image 943
Jim Avatar asked Oct 09 '08 18:10

Jim

People also ask

What method should be used to pass credentials into source code?

You should encrypt your credentials before saving the file, and additionally, you can apply a second encryption to the file itself (2-layer encryption to the credentials, and 1-layer to other file contents). Note that each of the two encryption processes mentioned above can be multiple-layered themselves.

How are passwords transmitted and stored?

All modern secure computer systems store users' passwords in an encrypted format. Whenever a user logs in, the password entered is encrypted initially, then compared to the stored encryption of the password associated with the user's login name. A match succeeds and a mismatch fails -- it's that simple!

3 Answers

No. All an app user has to do is sniff their own network traffic (easy to do with Wireshark or such).

You really need a way to give each user a unique token of some sort.

Edit - more info:

Any system that relies on "secret" login information that is the same for every copy of the application is flawed by design. In order to keep things secure, every install of your app must have a unique secret that it uses to authenticate with the server. How you accomplish that is dependent on how you license/distribute your app. Here is how I would do it. (Perform all communication over an SSL connection).

  1. App is launched for the first time - it sees that it has no authentication information saved.
  2. App prompts you for a registration code, email address and/or however you want to identify your users.
  3. App generates a public/private keypair and submits the public key with your ID info from step 2 to the server.
  4. Server remembers your key and uses it to identify your app from now on.

Alternate step 3 is: app submits info from step 2 and server sends back a hash signature of the info + salt. Hash signature is now your app's key.

The important thing is that there is no "secret" shared between all your users.

like image 97
Neall Avatar answered Oct 05 '22 19:10

Neall

You can refer my old question and the answers here. How to store passwords in Winforms application?. But, looking forward to some other ideas too.

like image 25
Gulzar Nazim Avatar answered Oct 05 '22 21:10

Gulzar Nazim

Shouldn't there be at least one person who has access to a password or the key? Our devs don't have access to production servers. That allows the systems guys, who are allowed to know the passwords, to set the passwords when they deploy the software.

Code the software to be configurable and then keep your devs out.

like image 24
mspmsp Avatar answered Oct 05 '22 20:10

mspmsp
Sign in to Comment

Related questions

Can a PHP file ever be read externally? [closed]
NoSQL Database for Banking System [closed]
Why should I use session id in cookie instead of storing login and (hashed) password in cookie?
Change Joomla Administrator URL
What is apache autoindex and should I disable it?
Are passwords stored in memory safe?
How to suppress "An application is requesting access to a protected item" popup
Electron 'contextBridge'
<? or <?php --- is there any difference? [duplicate]
Does AccessController.doPrivileged give JavaScript threads the permissions of the signed Applet?
Centralized vs. Distributed version control security
Javascript XSS Prevention
Should I use GET or POST when requesting sensitive data?
How safe is auth !== null? Firebase
Top tips for secure web applications [closed]
Secure MySQL backup cron job – my.cnf is not being read
Removing Unused HTTP Handlers for Better Performance & Security
Password reset by emailing temporary passwords
How does software activation work?
Indexing Sitecore Item security and restricting returned search results

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!