Click here to Skip to main content
11,432,427 members (61,493 online)
Rate this: bad
good
Please Sign up or sign in to vote.
See more: VB VB.NET
Hello all,

Yesterday I used some code I found on this site to temporarily authenticate to a UNC path and then transfer data. Here is the link Connect to a UNC Path with Credentials[^].

It works great but the problem is that the credentials for authenticating to the file server are in plain text in the code. Obviously it is not visible to the user when using the .exe but I am concerned that some nefarious user could decompile the exe and get at the credentials. Is this something I should even be concerned about? If so, is there a way to somehow hide or encrypt the credentials so that they would not be visible in such a situation?

Thanks in advance for your help.

-Matt
Posted 25-Apr-13 4:09am
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

Firstly, assess the risk associated with someone retrieving the credentials, particularly in terms of:

1. How likely it is.
2. What damage would be caused by someone using those credentials.
3. How quickly you can respond to the compromise in terms of securing the resource the credentials are used to access and in terms of distributing a fix.

I would almost certainly suggest there should at least be some obfuscation as the credentials are probably very easily accessible of they are just text constants. As for obfuscating the text, I would suggest some kind of symmetric algorithm (not neccessarily encryption with a key) and then put some anti debugging code in place. There are some good chapters in this book[^] that mnight be worth looking at.

If the impact and likelihood of a compromise is significant, then you may need to think about something a bit more secure and abandon hard coded credentials.
  Permalink  
v2
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

It's easier to get those credentials then decompiling. You can just use Sysinternals Process Explorer (if you haven't seen it yet, it's task manager on steroids). With that, you can view all the strings in any running application.

I'm sure there are better ways now, but I would probably encrypt the credentials and hide them in a .dll that I include with my application. When your app starts up, read the credentials from the .dll, decrypt them and use them to connect. Then write a new value to the string that contained the credentials.

Like I said - I'm sure there are better ways to handle this these days - but that's what I would do.

- Pete
  Permalink  

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



Advertise | Privacy | Mobile
Web04 | 2.8.150428.2 | Last Updated 27 Apr 2013
Copyright © CodeProject, 1999-2015
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100