We're a community of 1.1M IT Pros here for help, advice, solutions, professional growth and fun. Join us!
1,080,328 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Start New Discussion Reply to this Discussion
Ad: IT HelpDesk & Customer Support Software
1 Year Ago
0

Database Password Exposed

Hello!

Is there a way to hide the password of your database inside the source code?

"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=" & Application.StartupPath & "\Database.accdb; Jet OLEDB:Database Password = [B]MyPassword[/B]"

As you can see the password is exposed, increasing the risk for the database to be compromise. Is there anything you can suggest how can I work around this one?

Thanks in advance!

2
Contributors
5
Replies
1 Day
Discussion Span
1 Year Ago
Last Updated
6
Views
Question
Answered
ryklon
Newbie Poster
24 posts since Oct 2011
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
1 Year Ago
0

If your source code is available to read, I suspect no. String constants in exe files can be easily extracted so if you want to "hide" the password in the exe then you can build it at run time a character or two at a time, even using conversion from numeric values to further obscure the actual password.

Reverend Jim
Illigitimae non carborundum
Moderator
3,740 posts since Aug 2010
Reputation Points: 585
Solved Threads: 469
Skill Endorsements: 33
1 Year Ago
0

Thanks for the reply.

Can you please elaborate more how can I actually do that?

Thanks!

ryklon
Newbie Poster
24 posts since Oct 2011
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
1 Year Ago
Show Comments
1

Sure. Take the console app:

Module Module1

    Sub Main()

        Dim password As String = "mypass"
        Console.WriteLine("password=" & password)

        password = Chr(115)
        password &= Chr(101)
        password &= Chr(99)
        password &= Chr(114)
        password &= Chr(101)
        password &= Chr(116)
        Console.WriteLine("password=" & password)

    End Sub

End Module

When you run it you will get the output

password=mypass
password=secret

If you extract the string values from the exe file (I use strings.exe, a tool from the excellent SysInternals Suite available free here) you can see the string "mypass" but not the constructed string "secret".

Please note that if you build "secret" in one line of code like

password = Chr(115) & Chr(101) & Chr(99) & Chr(114) & Chr(101) & Chr(116)

The compiler will optimize this to

password = "secret"

and, therefore, the string will be available for detection. The above method does not prevent someone extracting the string by examining the machine code with a disassembler or a debugger but it does add a level of obfuscation to prevent casual sleuthing.

Reverend Jim
Illigitimae non carborundum
Moderator
3,740 posts since Aug 2010
Reputation Points: 585
Solved Threads: 469
Skill Endorsements: 33
1 Year Ago
0

Thanks for the tip!

Much appreciated.

ryklon
Newbie Poster
24 posts since Oct 2011
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
1 Year Ago
0

Any time. Please mark this as solved if we are done.

Reverend Jim
Illigitimae non carborundum
Moderator
3,740 posts since Aug 2010
Reputation Points: 585
Solved Threads: 469
Skill Endorsements: 33
Question Answered as of 1 Year Ago by Reverend Jim

This question has already been solved: Start a new discussion instead

Post: Markdown Syntax: Formatting Help
 
You
Software Development > VB.NET
View similar articles that have also been tagged:
 
© 2013 DaniWeb® LLC
Page generated in 0.0787 seconds using 2.67MB