Ive been around the hacking block where I see people able to pull out email passwords and ftp details out of programs and I was wondering whats the best bet to protect those details while not crypting my vb.net program.
Asked
Active
Viewed 332 times
1
-
If you do not want to encrypt your strings, there will always be a way to retrieve them. If you're using managed code, such as VB.NET, it's even easier with a disassembler. – madd0 Mar 09 '11 at 10:32
-
and then there are debuggers... – Thilo Mar 09 '11 at 10:44
2 Answers
5
Encryption is the only way to really stop the dedicated hacker. But if this is about passwords that the program needs to know itself for operation, then it will have to have the key embedded as well (or maybe download it from your server every time). So the dedicated hacker could still get to it. Same problem the content industry faces in their Digital Restriction Management efforts : the player needs to be able to decode the media, they need to give people the player, so the player can be disassembled, and the encryption cracked.
All you can do is obfuscate things a little (or a lot).
Or give up on client software and run your program as a web service, where people cannot get to the code.
Thilo
- 257,207
- 101
- 511
- 656
-
I take objection to placing hackers and crackers/thieves/mischiefs in the same category. – Apalala Mar 09 '11 at 23:14
-
Thanks, the program was supposed to grab an email, i just made it grab the email from a php file instead now. – Joe Mar 10 '11 at 02:21
-
@Apalala: I take objection to placing people who want to play their purchased content on all their devices, who want to modify the software they use to better fit their needs and who want to use the hardware they bought to the full extent it is capable into the same category as thieves and mischiefs. – Thilo Mar 10 '11 at 02:57
-
This is not nescessarily the only way. If, for example, you're going to be using this in a domain environment, you could use a derivative of the AD password to encrypt the item. when you want to decrypt it, you promtp for username and pwd and auth again AD/LDAP and if successful, then you create a hash of some kind (with salt!) of that password and then use that derivative of the password to encrypt the password the program needs to use to connect to something. – PsychoData Apr 15 '14 at 19:33
0
Obfuscation and encryption may delay a crack, but only for a while, because every encryption system can be broken with:
- Access.
- Enough time.
Because an exact digital copy of whatever can be made in minutes or seconds, time is guaranteed, so #1 becomes paramount.
Never store passwords in software or databases!. Take a look at the SO Q&A about Salting Passwords for the details.
