Geek Answers Handbook

Saving passwords in application code

I have doubts about how to store a password for use in my application. I need to encrypt / decrypt data on the fly, so the password should be somewhere. The options will be that it will be hardcoded in my application or will load it from a file.

I want to encrypt the license file for the application, and one of the security steps includes the ability to decrypt the license (other steps follow it). The password never knows for the user and only for me, because it really is not needed!

I am interested in the fact that hackers look at my code and retrieve the password that I stored there, and use it to crack a license that violates the first security barrier.

At this point, I am not considering code obfuscation (in the end, I will), so this is a problem.

I know that any solution that stores passwords is a security risk, but there is no way!

I thought about building a password from several parts before I really need it, but at some point the password is complete, so it only takes to debug and a breakpoint in place.

What approaches suit you (and galls) when you need to store your passwords hardcoded in your application?

Greetings

+4
source share
5 answers

My personal opinion is the same as GregS above: it's a waste of time. The application will be pirated, no matter how you try to prevent it. But...

Your best bet is to reduce random piracy.

Note that you have two classes of users. Ordinary user and pirate. The pirate will make great efforts to crack your application. A regular user just wants to use your application to do something. You can't do anything with a pirate.

The average user will not know anything about the hacked code ("well ... what is a hex editor?"). If for this type of person it is easier to buy an application than to piracy, then they often buy it.

It seems that the solutions you have already reviewed will be effective against the average user. And that’s about all you can do.

+7
source

Determine how much time / effort you will spend on preventing piracy. If someone is defined, they are probably going to make your application work anyway.

+4
source

I know that you do not want to hear it, but it is a waste of time, and if your application needs a hard password, this is a drawback.

+4
source

I do not know that there is any approach to solving this problem that would deter the hacker in any meaningful way. Secrecy is one of the cryptographic issues.

+4
source

The approach that I did in the past was to generate a unique identifier during installation, it would receive HDD and MCU SN and use it in a complex structure, then the user will send this number to our automated system, and we will answer back with in another block, the application now decrypts and compares this data on the fly during use.

Yes, I work, but it still has a hard password, we have several levels for protection (i.e. there are some methods that prevent a mid-level hacker from understanding our security system).

I just recommend you make a very complex system and try to hack it yourself, see if disassembling can lead to an easy way. Add some random calls to random routines, make them very dangerous, try to fake the use of registry keys and global variables, turn the hacker life into hell, so that it eventually refuses.

0
source

More articles:


All Articles