Using Password in Application

[Guest]

I have an application that will call some external applications during the
course of execution. Since the application will be running on its own
without user intervention I will have to store a username and password inside
the code of the application to run processes etc. What is the best way to do
this considering security? What is the best way to prevent someone from
reverse engineering the application and getting to the password? Thanks in
advance for any help.

 

[Tom Spink]

I have an application that will call some external applications during the
course of execution. Since the application will be running on its own
without user intervention I will have to store a username and password
inside
the code of the application to run processes etc. What is the best way to
do
this considering security? What is the best way to prevent someone from
reverse engineering the application and getting to the password? Thanks
in advance for any help.

Hi Primera,

Could you just clarify /why/ you need to store a password in your
application? Is it because you need to impersonate a user, in order to
execute a process in the context of that user?

 

[chanmm]

In the normal case people store user inform in web.config for ASP.NET and
app.config for Windows app. Do take a look here and see whether you can find
what you want.
http://msdn.microsoft.com/security/

chanmm

 

[Guest]

Yes, I need to run an external executable as a specific user that has local
admin rights.

 

[Greg Miller]

I have an application that will call some external applications during the
course of execution. Since the application will be running on its own
without user intervention I will have to store a username and password inside
the code of the application to run processes etc. What is the best way to do
this considering security? What is the best way to prevent someone from
reverse engineering the application and getting to the password? Thanks in
advance for any help.

Assuming the user actually interacts with your application, the
best way to do it is to require the user to supply a password when your
app starts. Then encrypt/decrypt the passwords for the other systems
with the password the user just provided.
One example of this technique is Firefox's "master password"
feature.

 

[Guest]

Unfortunately there will be no user interaction. Thanks for the post anyway.

 

[rossum]

I have an application that will call some external applications during the
course of execution. Since the application will be running on its own
without user intervention I will have to store a username and password inside
the code of the application to run processes etc. What is the best way to do
this considering security? What is the best way to prevent someone from
reverse engineering the application and getting to the password? Thanks in
advance for any help.

You probably should not keep the password and username inside your
application, they should be in separate files. Keep them on disk, in
the registry, on a floppy (remember them?), removable USB memory stick
or on a different machine on the network so if the application is
compromised then the password is not necessarily compromised. The
floppy/USB options let you remove the password files completely and
lock them in a safe when they are not needed. Keeping them outside
the application allows the password to be changed more easily when the
external application changes its password - no need to recompile.

How secure do you want the password to be? It could be as simple as a
Caesar cypher, "password" becomes "rcuuyqtf" (shift each letter by
two). For something more secure store a random array of bytes of
sufficient length and also store password XOR random_bytes in a
different location. When you need the password just do another XOR
with the random bytes. Pick a new set of random bytes every so often,
or after so many uses, and re-encrypt the username and password files.
If you have a cryptographically secure random number generator
available then you should use that in preference to any standard PRNG.
Google "Yarrow" or "Fortuna" for two CSPRNGs.

For advice from real experts try asking on sci.crypt

rossum