Passwords in a variable

W

windows

Hello

Is there an easy way to prevent a variable beeing visible as plaintext
in the compiled .exe?
I'm using C# and VS2005 to compile.

e.g.

string
user = "myuser",
password = "mypassword";

gives:
m y u s e r m y p a s s w o r d

in the compiled exe...

Thanks for you help!

Tom
 
J

Jon Skeet [C# MVP]

windows said:
Is there an easy way to prevent a variable beeing visible as plaintext
in the compiled .exe?
I'm using C# and VS2005 to compile.
Click to expand...

Not really. If you hard-code "private" information in your application,
even with a few cunning tricks (like storing an encrypted version and
decrypting it at runtime) it isn't too hard to work out what's going
on.

Basically, you shouldn't rely on "secrets" in code for security.

Jon
 
J

Jeroen

Not 100% sure if this will help you, but anyways. You may want to look
into obfuscation. I think the VStudio environment standard comes with a
'community edition' of Dotfuscator, a third party program to scramble
your compiled exe. For variables to be scrambled I also think it's wise
to state it like this:

private string password = "sec" + "ret";

Maybe someone can comment on my post whether this is somewhat relevant
and how you may use this, or whether it's completely out of place :p :D

-Jeroen
 
J

Jon Skeet [C# MVP]

Jeroen said:
Not 100% sure if this will help you, but anyways. You may want to look
into obfuscation. I think the VStudio environment standard comes with a
'community edition' of Dotfuscator, a third party program to scramble
your compiled exe.
Click to expand...

That might make it a bit harder, but not a great deal.
For variables to be scrambled I also think it's wise
to state it like this:

private string password = "sec" + "ret";
Click to expand...

That would have *no* effect on the compiled binary. If you use

private string password = string.Concat ("sec", "ret");

that would work, but with the version you've given, the compiler would
perform the concatenation itself.

Jon
 
E

Eric Moreau

See if the SecureString class can help you.

I wrote an article in August 2006 (http://emoreau.s2i.com/) that introduces
this topic.

--


HTH

Éric Moreau, MCSD, Visual Developer - Visual Basic MVP
Conseiller Principal / Senior Consultant
S2i web inc. (www.s2i.com)
http://emoreau.s2i.com/

Hello

Is there an easy way to prevent a variable beeing visible as plaintext
in the compiled .exe?
I'm using C# and VS2005 to compile.

e.g.

string
user = "myuser",
password = "mypassword";

gives:
m y u s e r m y p a s s w o r d

in the compiled exe...

Thanks for you help!

Tom
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Clear Password String in C# Compiled Code 11
Scrabble Value calculation for Welsh words 0
Fill array with Values 4
problem in file 3
Someone locked you out of your BIOS, never ferr. 15
What are these ? 8
Sending mail message with unicode text 1
An interesting/annoying problem involving callbacks and native C and C# 6

Top