Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask

Re: Keeping a password safe.

by moritz (Cardinal)
on Jun 09, 2012 at 03:07 UTC ( #975272=note: print w/replies, xml ) Need Help??

in reply to Keeping a password safe.

You cannot keep secrets from a user with system level access. It's as simple as that. And that's not unique to interpreted languages like Perl, it applies to native code too.

What you can do is provide a webservice where the secret stays on server and never reaches the client.

Replies are listed 'Best First'.
Re^2: Keeping a password safe.
by Steve_BZ (Chaplain) on Jun 10, 2012 at 16:15 UTC

    Hi Moritz,

    Thanks for response.

    I guess it's true to some extent. It's interesting that Windows, where you don't have access to the source code, generally has more security issues than Linux where you do. But even with Windows you have to be a serious hacker to get into it properly: I couldn't do it, for example.

    I don't need bank-level security with remote chip and PIN, however, some ordinary commercial-grade security would be nice.



      Your analogy misses an important point. To compromise a windows system, you have to find a new vulnerability, which isn't easy.

      But to get access a password that a program uses for accessing an FTP server, all one has to do is to monitor the network traffic. There are even tools that automatically sniff out passwords from traffic dumps.

      Even if you use a more sophisticated approach (like ftp over ssl), the password needs to be in plain text in the memory of your application, and using a debugger it's not hard work to find it out.

      So since the technical avenue is closed for you, I'd recommend to hand out the passwords to your users, and forbid them (in your terms of service) to give it to third parties. Since you want to protect the downloads, I infer that you sell your software commercially, so you already have some form of direct contact with your customers.

      If you want to be a bit more careful, give out different passwords to different users, so that you can easily diable one of them if you suspect abuse.

      Note that any "clever" solution which tries to obfuscate the password will make debugging much harder in case something goes wrong (and something always goes wrong).

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://975272]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (6)
As of 2018-01-19 11:43 GMT
Find Nodes?
    Voting Booth?
    How did you see in the new year?

    Results (217 votes). Check out past polls.