Making a 'plaintext' string safe from cracking?

Question

Supposing I have an important password somewhere in my program and I want to make it safer, ex:

ftp.password := 'mypassword';

About 8 years ago I use to 'crack stuff' for fun, so I found me stuff like that quite easily by using OllyDbg.

What I need to know is if there is a way to make this thing safe from prying eyes. I thought about storing the password directly into the component, but then again don't know if it would do any good.

Answer 1

Perhaps you could Encrypt the string, and Decrypt it back when you read it?

But even then, as others have said, storing a password internally in the Application is not a good idea.

Even if you Encoded or Encrypted the string it is not going to be safe from determined people.

Answer 2

This is simply not a problem that cryptography can solve. The only way to protect this value is to rely upon the user access control provided by your operating system. Make sure the file's permissions are limited as much as possible. chown user:user file then chmod 400 file.

Answer 3

Whilst the answer that you just shouldn't do this is correct, in practise there are occasions when the real world forces you hand. In the one or two instances where I've been forced into something like the approach I've used is to code a function that will generate a known password from scratch using some mathematical formula - for instance the first letter of the English words for the first 8 digits of PI in reverse order. Of course this can still be cracked, but it makes the task a little harder and should discourage casual browsers.

Of course if you're really using FTP (not SFTP) you're passing the password in plain text across the network anyway. I'd be more concerned with that initially - it's a much more obvious attack vector.

Answer 4

While I entirely agree with David Schwartz (you shouldn't embed any passwords inside a program directly), it is possible to make it more difficult for anyone to locate it.

Instead of defining the string in one piece, you can build the string procedurally. This way the string as a whole is never stored in one piece inside your executable, making it more difficult to find.

Answer 5

Here's one way - it keeps it safe from curious people with a hex viewer, but of course won't work with advanced techniques at runtime:

function GetA: string;
begin
  Result := #$109#$121#$122;  // 'myp'
end;

function Getb: string;
begin
  Result := #97#$115#$115#$119;  // 'assw'
end;

function GetC: string;
begin
  Result := #$111#$114#$100;  // 'ord'
end;

procedure TForm1.Whatever;
begin
  ftp.Password := GetA + GetB + GetC + GetD;
end;

As I said, it's not secure from someone setting a break during the code execution with a debugger and inspecting the ftp.password in memory after it's set, but it's safe from a hex viewer. I usually set the designtime value of the ftp.password to something like DoyouthinkImthatstupid? for those who like to try, though.

Answer 6

Just don't do it. If you want to keep a password safe, don't put it in the program. You can ask the user for it if the program is interactive. If not, you should set up some kind of non-password-based authentication for the program to use.

If you must embed the password in the program, the rule is very simple -- never give the program to anyone who is not supposed to be able to do anything the password allows them to do.