I intend to save a password/secret key in my Go application to be used in communication with some other applications. I wonder how to secure it from for example someone obtaining the binary and searching for it in some hex viewer. Are such security practices common, or am I worrying too much?
Asked
Active
Viewed 1,666 times
3
-
4If you're distributing a secret key to users, it's not a secret key anymore. The only question left is how long until someone extracts the key from your program (and that, of course, is a function of how popular the program is, how much you attempt to obfuscate the key, and how valuable having the key outside of your program would be). – Lily Ballard Jan 20 '12 at 01:34
-
@KevinBallard I don't intend on distributing a secret key to the users, only to use it for communication with my other application (one instance of an application communicates with one instance of another application, it isn't distributed over many instances, etc.). – ThePiachu Jan 20 '12 at 02:18
-
1Distributing your app to a user is the same thing as distributing your secret key to the user, just wrapped up in a nice shiny executable. – Lily Ballard Jan 20 '12 at 03:14
2 Answers
14
Succinctly:
Don't!
It won't be secure; it will be broken. Further, if everyone is using the same password, then when it is broken once for one person, it is broken for all time for everyone.
Jonathan Leffler
- 730,956
- 141
- 904
- 1,278
4
Obfuscate the data and/or code. This means to store the password in a form that is reasonably difficult to search for, and if its location is found the password is reasonably difficult to decipher.
In case no obfuscation method is secure enough (you want full security), the only solution is not to put the password into the executable in any form.