Managing deployed passwords

Posted on 2005-03-07
Medium Priority
Last Modified: 2013-12-03
Our application is built on top of a database.  So when it gets installed on a customer's machine, our application is the "DBA"--the only entity with full admin priviledges.  In the past I've stored DBA passwords within the application executable.  But I can easily find them by doing a search on these strings in a hex editor.  Of course, I can find it quickly because I know what I'm looking for.  Still, a dedicated person could find it with some effort.  

Another method I've used is to--rather than store it as a string--build it byte by byte using a function.  Could this solution still be easily cracked or is it fairly secure?

How can I effectively protect a password that needs to be deployed with an application?  If the answer is secret-key encryption, how would I protect the secret key?  And so on...

Question by:kevinbenedict
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
LVL 38

Accepted Solution

Rich Rumble earned 1200 total points
ID: 13478001
That can be a tough road to hoe... one-way hash's such as the way M$ stores the user passwords in the SAM database can be cracked very quickly nowadays, by using programs like RainBow Crack, all possible combinations can be written to a file, then searched for, and the pass is effectivly recovered in minutes.

If you can "pack" the executeable with a packer, then the pass would likely not be visible in a hex editor in the same fashion it is now. you can unpack the exe an then look for it to be sure. packers like UPX http://upx.sourceforge.net/ or even compressors like PEcompact http://www.collakesoftware.com/ there are encoders (not encrypters) that can help also...
http://www.woodmann.com/crackz/Packers.htm (good tutourials on cracking, what to do and not to do) http://woodmann.com/crackz/

I'm no programmer, or program hacker, but I've read a few books on the subject. This may be a better question on the DB or Programming foums of EE.
There seem to be no end to the packer,compressor,encrypter and encoding programs out there... http://www.ewoss.com/search.aspx?k=encryption+software&s=1
using google you can find many links to this software.

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Check out the latest tech news, community articles, and expert highlights in August's newsletter.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question