Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer

Re^2: Keeping a password safe.

by Steve_BZ (Chaplain)
on Jun 10, 2012 at 16:15 UTC ( #975457=note: print w/replies, xml ) Need Help??

in reply to Re: Keeping a password safe.
in thread Keeping a password safe.

Hi Moritz,

Thanks for response.

I guess it's true to some extent. It's interesting that Windows, where you don't have access to the source code, generally has more security issues than Linux where you do. But even with Windows you have to be a serious hacker to get into it properly: I couldn't do it, for example.

I don't need bank-level security with remote chip and PIN, however, some ordinary commercial-grade security would be nice.



Replies are listed 'Best First'.
Re^3: Keeping a password safe.
by moritz (Cardinal) on Jun 11, 2012 at 09:01 UTC

    Your analogy misses an important point. To compromise a windows system, you have to find a new vulnerability, which isn't easy.

    But to get access a password that a program uses for accessing an FTP server, all one has to do is to monitor the network traffic. There are even tools that automatically sniff out passwords from traffic dumps.

    Even if you use a more sophisticated approach (like ftp over ssl), the password needs to be in plain text in the memory of your application, and using a debugger it's not hard work to find it out.

    So since the technical avenue is closed for you, I'd recommend to hand out the passwords to your users, and forbid them (in your terms of service) to give it to third parties. Since you want to protect the downloads, I infer that you sell your software commercially, so you already have some form of direct contact with your customers.

    If you want to be a bit more careful, give out different passwords to different users, so that you can easily diable one of them if you suspect abuse.

    Note that any "clever" solution which tries to obfuscate the password will make debugging much harder in case something goes wrong (and something always goes wrong).

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://975457]
and a log crumbles through the grate...

How do I use this? | Other CB clients
Other Users?
Others contemplating the Monastery: (6)
As of 2018-06-22 20:11 GMT
Find Nodes?
    Voting Booth?
    Should cpanminus be part of the standard Perl release?

    Results (124 votes). Check out past polls.