Geek Answers Handbook

Make a plaintext string safe from hacking?

Suppose I have an important password somewhere in my program, and I want to make it more secure, for example:

ftp.password := 'mypassword';

About 8 years ago I used to “hack” things for fun, so I pretty easily found things using OllyDbg.

I need to know if there is a way to make this thing safe from prying eyes. I thought about saving the password directly in the component, but then again I do not know if this will be good.

+7
source share
6 answers

Just don't do it. If you want to keep the password safe, do not put it in the program. You can ask the user about this if the program is interactive. If not, you should configure some kind of authentication without a password for the program you are using.

If you need to insert a password into the program, this rule is very simple - never give the program to anyone who should not do anything that allows them a password.

+17
source

While the answer that you simply should not do is right, in practice there are times when the real world forces you to act. In one or two cases when I was forced to do something similar, I used a code that would generate a known password from scratch using some mathematical formula - for example, the first letter of English words for the first 8 digits of PI in the reverse order. Of course, this can still be hacked, but it makes the task a little more complicated and should prevent random browsers.

Of course, if you really use FTP (not SFTP), you still pass the password in plain text over the network. I would be more worried about this initially - this is a much more obvious attack vector.

+5
source

While I completely agree with David Schwartz (you should not insert any passwords inside the program directly), it might be more difficult for someone to find it.

Instead of defining a string in one piece, you can build the string procedurally. Thus, the string as a whole is never saved in one fragment inside the executable file, which makes searching difficult.

+4
source

This is simply not a problem that cryptography can solve. The only way to protect this value is to rely on user access control provided by your operating system. Make sure that file permissions are limited as much as possible. chown user:user file , then chmod 400 file .

+3
source

Here is one way - it protects against curious people using hexadecimal viewing, but, of course, will not work with best practices at runtime:

 function GetA: string; begin Result := #$109#$121#$122; // 'myp' end; function Getb: string; begin Result := #97#$115#$115#$119; // 'assw' end; function GetC: string; begin Result := #$111#$114#$100; // 'ord' end; procedure TForm1.Whatever; begin ftp.Password := GetA + GetB + GetC + GetD; end;

As I said, it is not protected from the fact that someone sets up a break during the execution of the code using the debugger and checks ftp.password in memory after installing it, but it is safe for hexadecimal viewing. Do I usually set ftp.password time for DoyouthinkImthatstupid? time DoyouthinkImthatstupid? for those who want to try.

+2
source

Perhaps you could encrypt the string and decrypt it while reading it?

But even then, as others have said, storing an internal password in an application is not a good idea.

Even if you encoded or encrypted a string, it will not be safe from certain people.

+1
source

More articles:


All Articles