1,105,594 Community Members

Database Password Exposed

Member Avatar
ryklon
Newbie Poster
24 posts since Oct 2011
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Hello!

Is there a way to hide the password of your database inside the source code?

"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=" & Application.StartupPath & "\Database.accdb; Jet OLEDB:Database Password = [B]MyPassword[/B]"

As you can see the password is exposed, increasing the risk for the database to be compromise. Is there anything you can suggest how can I work around this one?

Thanks in advance!

Member Avatar
Reverend Jim
Noli mentula
5,445 posts since Aug 2010
Reputation Points: 746 [?]
Q&As Helped to Solve: 653 [?]
Skill Endorsements: 51 [?]
Moderator
Featured
 
0
 

If your source code is available to read, I suspect no. String constants in exe files can be easily extracted so if you want to "hide" the password in the exe then you can build it at run time a character or two at a time, even using conversion from numeric values to further obscure the actual password.

Member Avatar
ryklon
Newbie Poster
24 posts since Oct 2011
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Thanks for the reply.

Can you please elaborate more how can I actually do that?

Thanks!

Member Avatar
Reverend Jim
Noli mentula
5,445 posts since Aug 2010
Reputation Points: 746 [?]
Q&As Helped to Solve: 653 [?]
Skill Endorsements: 51 [?]
Moderator
Featured
 
1
 

Sure. Take the console app:

Module Module1

    Sub Main()

        Dim password As String = "mypass"
        Console.WriteLine("password=" & password)

        password = Chr(115)
        password &= Chr(101)
        password &= Chr(99)
        password &= Chr(114)
        password &= Chr(101)
        password &= Chr(116)
        Console.WriteLine("password=" & password)

    End Sub

End Module

When you run it you will get the output

password=mypass
password=secret

If you extract the string values from the exe file (I use strings.exe, a tool from the excellent SysInternals Suite available free here) you can see the string "mypass" but not the constructed string "secret".

Please note that if you build "secret" in one line of code like

password = Chr(115) & Chr(101) & Chr(99) & Chr(114) & Chr(101) & Chr(116)

The compiler will optimize this to

password = "secret"

and, therefore, the string will be available for detection. The above method does not prevent someone extracting the string by examining the machine code with a disassembler or a debugger but it does add a level of obfuscation to prevent casual sleuthing.

Member Avatar
ryklon
Newbie Poster
24 posts since Oct 2011
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Thanks for the tip!

Much appreciated.

Member Avatar
Reverend Jim
Noli mentula
5,445 posts since Aug 2010
Reputation Points: 746 [?]
Q&As Helped to Solve: 653 [?]
Skill Endorsements: 51 [?]
Moderator
Featured
 
0
 

Any time. Please mark this as solved if we are done.

Question Answered as of 2 Years Ago by Reverend Jim
You
This question has already been solved: Start a new discussion instead
Post:
Start New Discussion
View similar articles that have also been tagged: