Embed username/password/etc. in exe at install time.

Hello:

We have a request for an console application to change the
administrative password on our user's machines during an upcoming
update. The console application will be called from a batch file that
the users will be able to see. Therefore, we can't put the user name/
password in the batch file or plain text in the executable. Finally,
the request specifically asked that the executable be configurable so
they can put other user name/passwords in later.

How can I recieve a user name/password and embed it in an executable?
I was thinking of having a separate file with the encrypted data in
it. However, I would prefer for there to be just the .exe. I also
don't want to create an installer, because it is just a console
application.

How do I do it?

Thanks,
Travis

jehugaleahsa@gmail.com wrote:

Quote:

Hello:
>
We have a request for an console application to change the
administrative password on our user's machines during an upcoming
update. The console application will be called from a batch file that
the users will be able to see. Therefore, we can't put the user name/
password in the batch file or plain text in the executable. Finally,
the request specifically asked that the executable be configurable so
they can put other user name/passwords in later.
>
How can I recieve a user name/password and embed it in an executable?
I was thinking of having a separate file with the encrypted data in
it. However, I would prefer for there to be just the .exe. I also
don't want to create an installer, because it is just a console
application.
>
How do I do it?
>
Thanks,
Travis

Why not store it in registry or a similar place?

Or do you intend to brand the file and then copy it to the target
machine? Perhaps you could just tuck the data onto the end of the file,
like this:

[ exe file contents ][ your data ][ size of your data as Int32 ]

If you build a small program to take the username/password, encrypt it
or otherwise make it less-than-readable, build a byte array, and store
it at the end, you can easily read it back in. The size at the end is
just for simplicity as you can now just read the last 4 bytes of the
file as an Int32, and use that to calculate back into the file.

I don't know how this would play with signing a file.

--
Lasse Vågsæther Karlsen
mailto:lasse@vkarlsen.no
http://presentationmode.blogspot.com/

Travis,

Ultimately, this is an exercise in futility. The administrators should
be changing the passwords by hand.

Because you don't want the passwords to be in plain text (so others
can't see, I assume), you would encrypt the file. However, to do that, you
need an encryption key. So you embed the encyrption key into the
application (or the application constructs it from other data available to
it). However, the application can be decompiled.

So you obfuscate it. Unfortunately, there is no foolproof way to
obfuscate your code, and you run the risk of potentially breaking your code
or changing how it works due to the obfuscation process.

And even then, obfuscation is a cat and mouse game. No matter what you
do (even if you compile a native binary), you will always be able to figure
out what the code is going to do.

Ultimately, there is no way that this will be secure, and the password
administration should be handled by other means.

--
- Nicholas Paldino [.NET/C# MVP]
- mvp@spam.guard.caspershouse.com

<jehugaleahsa@gmail.comwrote in message
news:53d074a9-47a7-4ab8-8591-2414b6711e32@e4g2000hsg.googlegroups.com...

Quote:

Hello:
>
We have a request for an console application to change the
administrative password on our user's machines during an upcoming
update. The console application will be called from a batch file that
the users will be able to see. Therefore, we can't put the user name/
password in the batch file or plain text in the executable. Finally,
the request specifically asked that the executable be configurable so
they can put other user name/passwords in later.
>
How can I recieve a user name/password and embed it in an executable?
I was thinking of having a separate file with the encrypted data in
it. However, I would prefer for there to be just the .exe. I also
don't want to create an installer, because it is just a console
application.
>
How do I do it?
>
Thanks,
Travis

What are your thoughts about creating a webservice which returns a random
password, and logs it at "IT Central" tied to the client that got the
password? This was my first thought, and so I'm currious what you think.

"Nicholas Paldino [.NET/C# MVP]" wrote:

Quote:

Travis,
>
Ultimately, this is an exercise in futility. The administrators should
be changing the passwords by hand.
>
Because you don't want the passwords to be in plain text (so others
can't see, I assume), you would encrypt the file. However, to do that, you
need an encryption key. So you embed the encyrption key into the
application (or the application constructs it from other data available to
it). However, the application can be decompiled.
>
So you obfuscate it. Unfortunately, there is no foolproof way to
obfuscate your code, and you run the risk of potentially breaking your code
or changing how it works due to the obfuscation process.
>
And even then, obfuscation is a cat and mouse game. No matter what you
do (even if you compile a native binary), you will always be able to figure
out what the code is going to do.
>
Ultimately, there is no way that this will be secure, and the password
administration should be handled by other means.
>
--
- Nicholas Paldino [.NET/C# MVP]
- mvp@spam.guard.caspershouse.com
>
<jehugaleahsa@gmail.comwrote in message
news:53d074a9-47a7-4ab8-8591-2414b6711e32@e4g2000hsg.googlegroups.com...

Quote:

Hello:

We have a request for an console application to change the
administrative password on our user's machines during an upcoming
update. The console application will be called from a batch file that
the users will be able to see. Therefore, we can't put the user name/
password in the batch file or plain text in the executable. Finally,
the request specifically asked that the executable be configurable so
they can put other user name/passwords in later.

How can I recieve a user name/password and embed it in an executable?
I was thinking of having a separate file with the encrypted data in
it. However, I would prefer for there to be just the .exe. I also
don't want to create an installer, because it is just a console
application.

How do I do it?

Thanks,
Travis

>
>
>

On Jan 8, 8:33*am, Lasse Vågsæther Karlsen <la...@vkarlsen.nowrote:

Quote:

jehugalea...@gmail.com wrote:

Quote:

Hello:

>

Quote:

We have a request for an console application to change the
administrative password on our user's machines during an upcoming
update. The console application will be called from a batch file that
the users will be able to see. Therefore, we can't put the user name/
password in the batch file or plain text in the executable. Finally,
the request specifically asked that the executable be configurable so
they can put other user name/passwords in later.

>

Quote:

How can I recieve a user name/password and embed it in an executable?
I was thinking of having a separate file with the encrypted data in
it. However, I would prefer for there to be just the .exe. I also
don't want to create an installer, because it is just a console
application.

>

Quote:

How do I do it?

>

Quote:

Thanks,
Travis

>
Why not store it in registry or a similar place?

The registry is too permanent. I am a little concerned putting
anything password-like in the registry, encrypted or not. If an error
should occur, I might end up with that registry key filled even after
my application bombs out. This is meant to be a simple, stand-alone
console application.

Quote:

>
Or do you intend to brand the file and then copy it to the target
machine? Perhaps you could just tuck the data onto the end of the file,
like this:
>
[ exe file contents ][ your data ][ size of your data as Int32 ]
>
If you build a small program to take the username/password, encrypt it
or otherwise make it less-than-readable, build a byte array, and store
it at the end, you can easily read it back in. The size at the end is
just for simplicity as you can now just read the last 4 bytes of the
file as an Int32, and use that to calculate back into the file.

If I understand, you are suggesting putting extra bytes on the end of
my executable. I suppose that would eliminate the need for a separate
file; however, I am not willing to go to that extreme if using an
application setting file is more approachable. Thanks for the idea
though.

Quote:

>
I don't know how this would play with signing a file.
>
--
Lasse Vågsæther Karlsen
mailto:la...@vkarlsen.nohttp://presentationmode.blogspot.com/- Hide quotedtext -
>
- Show quoted text -

Thanks for the ideas.

You could do that, but then you have to worry about "IT Central" having
the password and how secure that storage mechanism is. The fact of the
matter is that you are storing passwords somewhere, and you have to take
into account the security of that system.

--
- Nicholas Paldino [.NET/C# MVP]
- mvp@spam.guard.caspershouse.com

"Family Tree Mike" <FamilyTreeMike@discussions.microsoft.comwrote in
message news:42FCD918-959A-4598-86FB-EE6CCFC76ED2@microsoft.com...

Quote:

What are your thoughts about creating a webservice which returns a random
password, and logs it at "IT Central" tied to the client that got the
password? This was my first thought, and so I'm currious what you think.
>
"Nicholas Paldino [.NET/C# MVP]" wrote:
>

Quote:

>Travis,
>>
> Ultimately, this is an exercise in futility. The administrators
>should
>be changing the passwords by hand.
>>
> Because you don't want the passwords to be in plain text (so others
>can't see, I assume), you would encrypt the file. However, to do that,
>you
>need an encryption key. So you embed the encyrption key into the
>application (or the application constructs it from other data available
>to
>it). However, the application can be decompiled.
>>
> So you obfuscate it. Unfortunately, there is no foolproof way to
>obfuscate your code, and you run the risk of potentially breaking your
>code
>or changing how it works due to the obfuscation process.
>>
> And even then, obfuscation is a cat and mouse game. No matter what
>you
>do (even if you compile a native binary), you will always be able to
>figure
>out what the code is going to do.
>>
> Ultimately, there is no way that this will be secure, and the
>password
>administration should be handled by other means.
>>
>--
> - Nicholas Paldino [.NET/C# MVP]
> - mvp@spam.guard.caspershouse.com
>>
><jehugaleahsa@gmail.comwrote in message
>news:53d074a9-47a7-4ab8-8591-2414b6711e32@e4g2000hsg.googlegroups.com...

Quote:

Hello:
>
We have a request for an console application to change the
administrative password on our user's machines during an upcoming
update. The console application will be called from a batch file that
the users will be able to see. Therefore, we can't put the user name/
password in the batch file or plain text in the executable. Finally,
the request specifically asked that the executable be configurable so
they can put other user name/passwords in later.
>
How can I recieve a user name/password and embed it in an executable?
I was thinking of having a separate file with the encrypted data in
it. However, I would prefer for there to be just the .exe. I also
don't want to create an installer, because it is just a console
application.
>
How do I do it?
>
Thanks,
Travis

>>
>>
>>

Embed username/password/etc. in exe at install time.

re: Embed username/password/etc. in exe at install time.

re: Embed username/password/etc. in exe at install time.

re: Embed username/password/etc. in exe at install time.

re: Embed username/password/etc. in exe at install time.

re: Embed username/password/etc. in exe at install time.

/bytes/development

/bytes/it

/bytes/about