3

I am making a custom ftp client that logs onto a single ftp site and goes to a specific folder to avoid users' putting files in the wrong place.

I'm not super concerned about it, but the password is just a string to initiate the new ftp object.

FtpClient ftp = new FtpClient("www.markonsolutions.com", "user", "password");

What is the best way to keep this password from prying eyes?

Adam Batkin
  • 51,711
  • 9
  • 123
  • 115
Crash893
  • 11,428
  • 21
  • 88
  • 123
  • 2
    Use arabic chars. They're unreadable to 99% of people. – David Rutten Sep 09 '09 at 19:43
  • 4
    @David Rutten: Care to explain why? Arabic appears to be the world's sixth most spoken language. (http://www2.ignatius.edu/faculty/turner/languages.htm) – JoshJordan Sep 09 '09 at 19:47
  • Consider a different approach. Assume that bad people will get the password, so first, set the account up so that it only has write access and only to the specific directory you're using. Second, is it feasable/reasonable/appropriate to prompt the user for the password? – Bob Kaufman Sep 09 '09 at 19:49
  • 1
    @Bob Kaufman We are hosted through godaddy so its an 1 key to the castle thing. @David + @joshJordan I don't agree but just because somethings 6th doesn't mean many people read it(either way I wont be using that trick) – Crash893 Sep 09 '09 at 19:54
  • Heh... had the same issue with GoDaddy for a file upload. FWIW, my approach was to create a web-based client that uploaded the file via HTTP to a R/W UserFiles directory. The filename was a function of the username and the timestamp. I should stress that this is security through obscurity and that the content of the file wasn't anything worth stealing. – Bob Kaufman Sep 09 '09 at 20:03
  • obfuscation is never a good solution to security. – csharptest.net Sep 09 '09 at 22:25

4 Answers4

10

FTP supports only plain text authentication - if you want to hide the password from attackers you have to use FTPS (FTP over SSL).

UPDATE

Don't care about hiding and obfuscating the password in your source code as a first step - your application will have to decrypt it and send it over the wire in plain text. Everyone can just start WireShark or any other packet sniffer and get the password back in plain text. First make sure that you don't send the password in plain text over a network, then start thinking about obfuscating it in your code.

UPDATE

Obfuscating the password in your code yields no security at all while you are sending it in plain text, but you can do so. Just encrypting the string adds one level of indirection. Without obfuscation I have to finde the password in your application and that's a matter of minutes with Reflector, with obfuscation I have to find the key, the encrypted password, and the encryption method. This will probably still take only minutes.

Using an obfuscator to prevent me from decompiling you application (into readable code) might stop me for a few hours until I find the relevant call into a system library function (but I wouldn't try, but only read the password from the wire ;).

So I suggest not to try to hard to obfuscate the password - the average user is probably unable to find a plain text password in a executable and people willing to find the password cannot be stopped by obfuscation. In this case the only way would be not to include the password in your application in the first place.

Daniel Brückner
  • 59,031
  • 16
  • 99
  • 143
  • +1 - I thought we were only going to see answers here that dealt with obscuring the password in the .NET assembly. – JoshJordan Sep 09 '09 at 19:48
  • this is correct i am not worried about sniffing right now but i will be thinking about this later – Crash893 Sep 09 '09 at 19:55
2

You can use this to protect your plain text string from reflector like programs.

Eran Betzalel
  • 4,105
  • 3
  • 38
  • 66
  • 4
    Has anyone else heard of this tool? I have an inherent distrust of running software I have never heard of (especially when it's hosted in Ukraine). This isn't listed on download.com. I would love to get some reliable references because that looks like a nice tool. – Eric J. Sep 09 '09 at 19:47
1

See this SO post about how to encrypt and decrypt a string, in this case your password.

You should also consider obfuscating your code to make it difficult for people with appropriate tools to get the password by debugging your code.

Community
  • 1
  • 1
Eric J.
  • 147,927
  • 63
  • 340
  • 553
  • It is much easier to start a network sniffer like WireShark (http://www.wireshark.org/) and read the password directly from the wire after the application decrypted it. – Daniel Brückner Sep 09 '09 at 19:50
  • Agree, I was looking at the question narrowly (guess I needed that 2nd cup of coffee after all). We use sftp for exactly that reason. – Eric J. Sep 09 '09 at 20:53
0

Make your passwords and connection URLs configuration parameters, in a protected file. I uses INI files, and they are placed in a directory that is protected by the web server such that a browser can't open nor see the file/directory.

Jay
  • 4,994
  • 4
  • 28
  • 41
  • You can call a web service from an exe, which has the advantages of Jay's solution, without the need for a web application. – Michael Maddox Sep 12 '09 at 11:35