Hardcoded Passwords

Darren66

Member
Joined
Jun 9, 2003
Messages
20
I am considering building an application which would include various users being able to ftp files to a website. I dont particularly want to give the users the login/password for ftp access to the site but at the same time I know its not a very good idea to hardcode passwords!

Can anyone suggest what the best method would be to get this type of security?
Would Dotfuscator have any effect as (I am no expert on this) I think password could be intercepted when it leaves the application??
 
Dotfuscator just alters your variable and sub names and makes your code as confusing as possible so any decompiled code would be next to worthless to anyone who wasnt serious about retrieving the code.

Hardcoding the password in the app wont do much good and someone with a hex editor could get it out if they want. Not only that, but they could capture the data being sent out of the program with some sort of packet sniffer and possibly get the password from that (if its not 128-bit encrypted or something).

Do you have any administrative rights to this FTP? If you do, you could simply set up an incoming directory that people have access to upload to and dont give them any upload rights to any of the other directories. That way you could give the username and password to the users without worrying about them messing up anything else.
 
I dont have administrative rights at the moment but I will get them and attempt what you mentioned.
Many Thanks
 
The other way to do passwords is to make them based on an encryption algorithm (use name as key or something), but if you are seriously worried about people reversing your code and taking the password, then this isnt going to help either because they can modify the JMP that takes them to the "wrong password" dialog and then bypass your security like that....
 
Back
Top