Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is it safe to store passwords inside binary file?


  • Please log in to reply
6 replies to this topic

#1 Fred

Fred

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 27 August 2004 - 09:41 AM

Hi everyone,

Here's something I was wondering. :thumbsup:

I have a VB application how's calling another application. This second application is a commandline software that use a password as parameter.

my code looks like that:

Public const MYPASSWORD ="ThisIsMyPassword12345"

dim result as integer

result =  Shell("C:\Application2.exe " & MYPASSWORD , vbHide)

I was asking myself if it was secure to store a password as a constant inside an application.

Once the code is compile and transform to binary format, is it possible that a hacker retreive this password with some kind of password recovery tool.

Thanks. :flowers:

Fred

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 PM

Posted 27 August 2004 - 12:46 PM

Yes if you have the password stored in a file, then it would be possible to reverse engineer that file and gain the password.

#3 Fred

Fred
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 27 August 2004 - 02:12 PM

Thanks for the reply.

If I understand you well, doing "reverse engineer" on an .exe file would give you back the original code and ... the passwords ?

In that case, how easy it is to do this reverse engeneering. Is it something anybody can do using some tools on the internet or is it something that requires allot of work by a high IT knowleged person?

I want to know if I should take that risk.

Thanks

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 PM

Posted 27 August 2004 - 03:37 PM

Well there are a few ways to get the password. Simply listing the strings found in the binary file may reveal the password.

Using a debugger may allow them to bypass the password check altogether. Using a disassembler will create an assembly file that contains assembly and if someone is well versed in it, they can then find the password.

There are quite a few ways to do it and for someone who is very knowledgeable in programming and debugging, it probably wont be that difficult.

To answer your question, a layman will probably have difficulty, but someone with decent computer knowledge and the ability to learn and work on solving a problem may be able to do it.

#5 Fred

Fred
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 30 August 2004 - 02:00 PM

Well there are a few ways to get the password. Simply listing the strings found in the binary file may reveal the password


Your right. I just open my .exe with notepad and was able to see my password there. :thumbsup:

Here what I could do to make it a little more difficult to find out the password. If someone have other ideas, let me know.

In my code I use the chr() function to set the string.
eg. myPassword= chr(65) & chr(87) & chr(55) ... instead of
Public const MYPASSWORD ="ThisIsMyPassword12345"

I understand that this solution is far from being perfect but it would make it more difficult to get the password.

I guest the best way would be to store the password in a file and encrypt it?

Since I want to distribute the app. with the password and that the application to access this passwords, I would need to have the decryption key in my exe ... So I would have still the same security problem.

What do you think are the best ways to store passwords in this situation?

Thanks

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 PM

Posted 30 August 2004 - 02:11 PM

I am not that "good" of a programmer, so please dont take me as an expert.

I would probably encrypt the password instead. Granted you have the decryption key in the file, but if you make the decryption key gibberish, like 812kas912; people may not recognize it for what it is.

#7 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:29 PM

Posted 31 August 2004 - 01:27 AM

I would recommend PE Lite or UPX to "pack" the executable. This gives a layer of protection from the "notepad" hackers. Be advised that most packing formats can be "unpacked". Hope that helps.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users