Managing deployed passwords
Posted on 2005-03-07
Our application is built on top of a database. So when it gets installed on a customer's machine, our application is the "DBA"--the only entity with full admin priviledges. In the past I've stored DBA passwords within the application executable. But I can easily find them by doing a search on these strings in a hex editor. Of course, I can find it quickly because I know what I'm looking for. Still, a dedicated person could find it with some effort.
Another method I've used is to--rather than store it as a string--build it byte by byte using a function. Could this solution still be easily cracked or is it fairly secure?
How can I effectively protect a password that needs to be deployed with an application? If the answer is secret-key encryption, how would I protect the secret key? And so on...