Hiding hard coded credentials

Question

0.00/5 (No votes)

See more:

Hello all,

Yesterday I used some code I found on this site to temporarily authenticate to a UNC path and then transfer data. Here is the link Connect to a UNC Path with Credentials[^].

It works great but the problem is that the credentials for authenticating to the file server are in plain text in the code. Obviously it is not visible to the user when using the .exe but I am concerned that some nefarious user could decompile the exe and get at the credentials. Is this something I should even be concerned about? If so, is there a way to somehow hide or encrypt the credentials so that they would not be visible in such a situation?

Thanks in advance for your help.

-Matt

Posted 25-Apr-13 3:09am

Member 10010283

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

jsolutions_uk · Answer 1 · 2013-04-25T03:26:00

Firstly, assess the risk associated with someone retrieving the credentials, particularly in terms of:

1. How likely it is.
2. What damage would be caused by someone using those credentials.
3. How quickly you can respond to the compromise in terms of securing the resource the credentials are used to access and in terms of distributing a fix.

I would almost certainly suggest there should at least be some obfuscation as the credentials are probably very easily accessible of they are just text constants. As for obfuscating the text, I would suggest some kind of symmetric algorithm (not neccessarily encryption with a key) and then put some anti debugging code in place. There are some good chapters in this book[^] that mnight be worth looking at.

If the impact and likelihood of a compromise is significant, then you may need to think about something a bit more secure and abandon hard coded credentials.

pdoxtader · Answer 2 · 2013-04-27T03:42:00

It's easier to get those credentials then decompiling. You can just use Sysinternals Process Explorer (if you haven't seen it yet, it's task manager on steroids). With that, you can view all the strings in any running application.

I'm sure there are better ways now, but I would probably encrypt the credentials and hide them in a .dll that I include with my application. When your app starts up, read the credentials from the .dll, decrypt them and use them to connect. Then write a new value to the string that contained the credentials.

Like I said - I'm sure there are better ways to handle this these days - but that's what I would do.

- Pete

Hiding hard coded credentials

2 solutions

Solution 1

Solution 2

Add your solution here

Preview 0