How secure are string values?

Question

Take the following program:

#include <string>
#include <iostream>

constexpr std::string correct_pin = "1874";
std::string response;

int main() {
    std::cout << "Enter a pin.";
    std::cin >> response;

    if (response == correct_pin) {
        std::cout << "That is the correct pin!";
    }
    else {
        std::cout << "Incorrect pin.";
    }
}

Would the user be able to somehow dig into memory and find the literal "1874", and reason that it must be the pin? And if so, are there any ways to make the string more secure?

Answer 1

Would the user be able to somehow dig into memory and find the literal "1874"

Yes. Easily.

and reason that it must be the pin?

Not quite as easy in general, but possibly. If debug info is included, then it would be easy still. Or they could make an assumption that one of the strings is the PIN and simply all of them until they find a match.

If you just take a look at the contents of the executable, you may find something like this:

Enter a pin.1874That is the correct pin!Incorrect pin.;

What would you guess?

And if so, are there any ways to make the string more secure?

There are ways to obfuscate, but no way to secure if you want to keep the program self contained. One potential solution is for the program to connect to your server which contains the secret, and apply zero knowledge proof techniques to use the secret.

Answer 2

Yes, 1874 would be stored in memory and in the executable.

You could use a cryptography library to salt and hash the correct pin and store the salt and hashed value. In the past I have used crypto++. This would be almost impossible to try and figure out the original value by working with the hashed value, they would have to brute force it. Although the rest of your executable is not secure so they could just hack out the comparison of the response and the correct pin.