0

I have a problem that you may help me in; I have a program which is written in C# code but this program use some passwords that needed to be hidden from anyone (very critical)

but as anybody know anyone can decompile the exe or any dll for my program and know these passwords using easy or difficult ways.

I think for putting peace of my code that has these passwords on hardware module connected to the PC that my program is running on; and my program deal with this hardware.

is there any hardware module I can search for to use in my program?

امير طارق
  • 47
  • 3
  • 12
  • Have you looked into things like HMAC authentication or public-key cryptography? I think its likely that you can build on years of research in cryptography here. – Jakob Runge Oct 11 '15 at 10:26
  • it is software, if I made it in dll file any one can decompile it and know the passwords – امير طارق Oct 11 '15 at 12:05

1 Answers1

0

It is best to never hard-code sensible information directly in a program. Also, information like these should never be stored as plain-text.

Instead, try to store these information in a database (even a local one, depending on your needs) hashing them using MD5 or SHA1. A hashed password shouldn't be reversible back to the original.

When the user logs in, you just use the same hash code to hash that typed-in password and compare it to the one hashed in the database. If they are the same, it means that the user entered the correct information.

Matei Radu
  • 2,038
  • 3
  • 28
  • 45
  • these passwords are not login data. these passwords like sa passwords for sql servers in several servers that the application use to connect to I want it to be plain to use it in the connection string so I can't use hashing and if it is plain text on the c# dll file any one can decompile it and know it. – امير طارق Oct 11 '15 at 12:03
  • …so why isn't it possible to use symmetric encryption like AES or serpent than? If you're running code on a machine at some point the data will end up in ram any way and can be dumped from there. So if you're going to store something like that you could use symmetric encryption and have a password entered or even use a smartcard with it on start of the program, thus keeping the data on disk secure. – Jakob Runge Oct 11 '15 at 12:14
  • …also MD5 or SHA1 shouldn't be the go to variants of hashes anymore. There are better secure hash algorithms to choose, and even some specialized for password data {scrypt, bcrypt…}. – Jakob Runge Oct 11 '15 at 12:16
  • all of this is ok but all of these solutions are software that will be written for example in c# as dll file right? any one can take this dll file from the computer that run my program and disassemble it using any tool and see my code that has the encryption or hashing method and can break it – امير طارق Oct 11 '15 at 12:46
  • No. See the point with cryptography is that you use well studied implementations and algorithms where the math makes certain that you can't just reverse engineer a secret without tremendous computing efforts. I think the bigger problem here is that your secret will at some point eventually be in the computers memory and apparently must pass there in clear text. For a further discussion of cryptography topics I recommend asking on https://crypto.stackexchange.com/ – Jakob Runge Oct 11 '15 at 20:50
  • I agree with @JakobRunge : go in depth with cryptography and I think you'll find an acceptable solution for your problem on the Cryptography Stack Exchange site. – Matei Radu Oct 11 '15 at 22:09