473,708 Members | 2,377 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Clear Password String in C# Compiled Code

Hello there,

I just found that the compiled code won't hide the string variables so
that I can see them by opening the execuable using Notepad. I have
couple applications that have password hardcoded and I've been thinking
that the string varialbes are hidden in compiled code. I knew that the
VS.NET doesn't compile the source code into machine code. But I didn't
know that it will expose string variables in the compiled code. Here is
my code:

static private string Hello1 = "Hello my world";

private void button1_Click(o bject sender, EventArgs e)
{

string filePath = @"C:\Windows\No tepad.exe";
string userName = "Username";
string password1 = "MyPassword ";
// ProcessStartInf o psi = new ProcessStartInf o(args[0]);
ProcessStartInf o psi = new ProcessStartInf o(filePath);
psi.UserName = userName;

psi.Password = ConvertStringTo SecureString(pa ssword1);
psi.Domain = "";
psi.UseShellExe cute = false;
psi.CreateNoWin dow = true;
psi.WindowStyle = ProcessWindowSt yle.Hidden;

Process.Start(p si);
}

private static SecureString ConvertStringTo SecureString(st ring
password)
{
SecureString tempSecureStrin g = new SecureString();

foreach (char c in password)
{
tempSecureStrin g.AppendChar(c) ;
}

return tempSecureStrin g;
}


When I opened the compiled version using the notepad, I see this in the
middle of text:

-- snippet --
ControlCollecti on get_Controls Add ResumeLayout
WindowsApplicat ion1.Properties .Resources.reso urces
WindowsApplicat ion1.Form1.reso urces QW i n d o w s A p p l i c a t
i o n 1 . P r o p e r t i e s . R e s o u r c e s -C : \ W i n d o w s
\ N o t e p a d . e x e U s e r n a m e M y P a s s w o r d  b u
t t o n 1 F o r m 1 H e l l o m y w o r l d Asì*½???^쩾?
톧\V4?         
 ! %
-- snippet --

Clearly, I can see the hello1, filepath, username, password values.
I am using VS.NET 2005 with Framework v2.0. And I found the RunAs code
sample from Web sites. Many sites have the examples.

I have to hardcode the password in my application in SECURE way. Could
someone give me an example or tips? I appreciate your help.

Dec 6 '06 #1
11 15618
You could use the Cryptography Application Block, and place the encrypted
password in the application's configuration file. Normally I would always
try to prevent hard coded string literals.

Gabriel Lozano-Morán

"cooltoriz" <yp*****@gmail. comwrote in message
news:11******** **************@ l12g2000cwl.goo glegroups.com.. .
Hello there,

I just found that the compiled code won't hide the string variables so
that I can see them by opening the execuable using Notepad. I have
couple applications that have password hardcoded and I've been thinking
that the string varialbes are hidden in compiled code. I knew that the
VS.NET doesn't compile the source code into machine code. But I didn't
know that it will expose string variables in the compiled code. Here is
my code:

static private string Hello1 = "Hello my world";

private void button1_Click(o bject sender, EventArgs e)
{

string filePath = @"C:\Windows\No tepad.exe";
string userName = "Username";
string password1 = "MyPassword ";
// ProcessStartInf o psi = new ProcessStartInf o(args[0]);
ProcessStartInf o psi = new ProcessStartInf o(filePath);
psi.UserName = userName;

psi.Password = ConvertStringTo SecureString(pa ssword1);
psi.Domain = "";
psi.UseShellExe cute = false;
psi.CreateNoWin dow = true;
psi.WindowStyle = ProcessWindowSt yle.Hidden;

Process.Start(p si);
}

private static SecureString ConvertStringTo SecureString(st ring
password)
{
SecureString tempSecureStrin g = new SecureString();

foreach (char c in password)
{
tempSecureStrin g.AppendChar(c) ;
}

return tempSecureStrin g;
}


When I opened the compiled version using the notepad, I see this in the
middle of text:

-- snippet --
ControlCollecti on get_Controls Add ResumeLayout
WindowsApplicat ion1.Properties .Resources.reso urces
WindowsApplicat ion1.Form1.reso urces QW i n d o w s A p p l i c a t
i o n 1 . P r o p e r t i e s . R e s o u r c e s -C : \ W i n d o w s
\ N o t e p a d . e x e U s e r n a m e M y P a s s w o r d  b u
t t o n 1 F o r m 1 H e l l o m y w o r l d As????^??
?\V4?         
 ! %
-- snippet --

Clearly, I can see the hello1, filepath, username, password values.
I am using VS.NET 2005 with Framework v2.0. And I found the RunAs code
sample from Web sites. Many sites have the examples.

I have to hardcode the password in my application in SECURE way. Could
someone give me an example or tips? I appreciate your help.
Dec 6 '06 #2
On 6 Dec 2006 11:29:52 -0800, cooltoriz wrote:

I have to hardcode the password in my application in SECURE way. Could
someone give me an example or tips? I appreciate your help.
Most good obfuscators offer string encryption for precisely this purpose.
Check out Dotfuscator and Xenocode
--
Bits.Bytes
http://bytes.thinkersroom.com
Dec 6 '06 #3
On 6 Dec 2006 11:29:52 -0800, "cooltoriz" <yp*****@gmail. comwrote:
>Hello there,

I just found that the compiled code won't hide the string variables so
that I can see them by opening the execuable using Notepad. I have
couple applications that have password hardcoded and I've been thinking
that the string varialbes are hidden in compiled code. I knew that the
VS.NET doesn't compile the source code into machine code. But I didn't
know that it will expose string variables in the compiled code.
[snip]

One way is to do your own encryption. It will not be completely
secure since anyone who can disassemble your code can disassemble the
decryption function, but it will stop casual readers or a simple
search for ASCII strings being able to pick out the password.
static string codedPassword = "elephant";

static string DecodePassword( string cyphertext) {
byte[] key = { 0x16, 0x1D, 0x10, 0x19, 0x1A, 0x13, 0x0B, 0x18 };
StringBuilder sb = new StringBuilder(c yphertext);
for (int i = 0; i < sb.Length; ++i) {
sb[i] = (char)(key[i] ^ sb[i]);
}
return sb.ToString();
}

static void Main() {
Console.WriteLi ne("The secret password is: {0}",
DecodePassword( codedPassword)) ;
}

This example uses a simple XOR encryption. I deliberately made the
coded password look like a real word as an added level of
misdirection. The real password does not appear anywhere in the
program file.

An alternative, short of actual encryption, is to put the password
into Base64 in your source file and to decode it as needed. For
example, "elephant" = "ZWxlcGhhbn Q=" in Base64. The disadvantage is
that it is easily recognisable as Base64.

Another alternative is to have a plaintext password in your source,
but to use the Base64 as the actual password within your program.
Have "elephant" in the source, but use "ZWxlcGhhbn Q=" as the actual
password.

Other ideas along these lines are possible.

rossum

Dec 7 '06 #4
rossum <ro******@coldm ail.comwrote:
>One way is to do your own encryption.
This example uses a simple XOR encryption.
What they often do in unix-land is use the standard crypt() function
for encryption. (instead of simple XOR or whatever). There must be a
..net equivalent somewhere. With the "crypt" function, I seem to
remember, it's not possible to deduce the plaintext password given its
cryptographic hash. You will still be vulnerable to a "dictionary "
attack where the attacker tries every single word in the dictionary
until he finds one that generates the right hash, but that's it.

--
Lucian
Dec 7 '06 #5
cooltoriz wrote:
Hello there,

I just found that the compiled code won't hide the string variables so
that I can see them by opening the execuable using Notepad. I have
couple applications that have password hardcoded and I've been thinking
that the string varialbes are hidden in compiled code. I knew that the
VS.NET doesn't compile the source code into machine code. But I didn't
know that it will expose string variables in the compiled code. Here is
my code:
store the password encrypted instead! take your password in clear-text
and encrypt it with SHA1 or MD5 or something else. Then you store the
hash from your password in the code. when the user enters a password you
calculate the hash from this password and compare it to yours. this is
safe and easy.

alain
Dec 7 '06 #6
On Thu, 07 Dec 2006 13:23:47 +0100, 0xB055 <ma******@hotma il.com>
wrote:
>cooltoriz wrote:
>Hello there,

I just found that the compiled code won't hide the string variables so
that I can see them by opening the execuable using Notepad. I have
couple applications that have password hardcoded and I've been thinking
that the string varialbes are hidden in compiled code. I knew that the
VS.NET doesn't compile the source code into machine code. But I didn't
know that it will expose string variables in the compiled code. Here is
my code:
store the password encrypted instead! take your password in clear-text
and encrypt it with SHA1 or MD5 or something else. Then you store the
hash from your password in the code. when the user enters a password you
calculate the hash from this password and compare it to yours. this is
safe and easy.

alain
Easy, but not safe. This form of password storage is vulnerable to a
dictionary attack. To avoid that you need to add (cryptographic) salt
to the password before hashing, where the salt is different for every
user. See http://en.wikipedia.org/wiki/Salt_(cryptography).

rossum

Dec 7 '06 #7


Thank you all for informatoin, I always appreciate your help.

The applications are internal only. Our users only have restricted
privilege and they are remote users. So I am writing an application so
that they can install software using my application that use local
admin account previlege. However, I don't want them to know the account
password.

I was informed that someone tried to open it up using Notepad and found
the password. Since the password is the same as other computers. There
is a chance that he can use it to access other computer. I will change
the admin password and redistribute applications once I change my
codes.

Again, thank you for your knowledge.

Dec 7 '06 #8
rossum <ro******@coldm ail.comwrote:
>Easy, but not safe. This form of password storage is vulnerable to a
dictionary attack. To avoid that you need to add (cryptographic) salt
to the password before hashing, where the salt is different for every
user. See http://en.wikipedia.org/wiki/Salt_(cryptography).
Can you explain how salt applies here, please? I mean, he's
hard-coding a password in the executable. There are no users, and they
don't type in a password at runtime. So he'd have to pre-salt his
thing before storing it in the executable. And so someone would
disassemble his code, see which salt he's using, and proceed with a
dictionary attack against that salt.

--
Lucian
Dec 7 '06 #9
"cooltoriz" <yp*****@gmail. comschrieb im Newsbeitrag
news:11******** *************@n 67g2000cwd.goog legroups.com...
>

Thank you all for informatoin, I always appreciate your help.

The applications are internal only. Our users only have restricted
privilege and they are remote users. So I am writing an application so
that they can install software using my application that use local
admin account previlege. However, I don't want them to know the account
password.

I was informed that someone tried to open it up using Notepad and found
the password. Since the password is the same as other computers. There
is a chance that he can use it to access other computer. I will change
the admin password and redistribute applications once I change my
codes.

Again, thank you for your knowledge.
In this case, it is better to not to use the password to authenticate from
outside the system. Not only can your users know the password but anyone who
has access to the executable. You shouldn't undersetimate the chance, the
executable comes into wrong hands. Even if the password was encrypted 100%
safe (wich is not possible), anyone having access to the executable could
gain access to your network through it and make anything your users make.

Instead your users should be mandated to authenticate themselves with their
own account, and then the server part of the application should autheticate
itself against the system with an application-account to have access to the
resources it needs.

Also you surely shouldn't ever give an admin password out of your system, if
encrypted or not.
Dec 8 '06 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

19
105815
by: Dave | last post by:
Hi, I have done some research, trying to Clear The Screen in java code. The first option was the obv: system.out.print("\n\n\n\n\n\n\n\n\n\n\n\n"); then i heard about this method: System.out.print((char)27 + "[2J");
10
11119
by: cppdev | last post by:
Hi All! I want to clear the string contents from sensitive information such as passwords, and etc. It's always a case that password will appear as string at some point or another. And i feel uneasy leaving it hanging in memory indefinitely (especially in case when string is Interned). So at leats for the case when string is not interned i propose:
0
1709
by: Anonymous User | last post by:
Hi, I am working on a mobile application that consists of a number of handheld scanners, an Xml Web service and an Oracle 9i database in a highly secure environment. The .Net Compact Framework application running on the scanners executes Web service methods, which in turn execute Oracle database functions. The Web service and the Oracle database are running on separate servers. The Web service uses the Microsoft OLE DB driver for Oracle....
2
27199
by: nickyeng | last post by:
i have a function that clear the screen and then display array to cout. i compiled no error no warning, i run it, the screen really get "clear" but it does not display anything to cout, and it "clear screen" to blanks for 2 seconds, the screen return to this : http://i19.photobucket.com/albums/b171/NickyEng/clear.jpg Here is my coding: /* screen.h */ #ifndef _SCREEN_H_ #define _SCREEN_H_ #include <string>
0
1875
by: calvinkwoo3000 | last post by:
My Window application run property withour link to mdb without password. Once i set security password to mdb file, the error belor come out when i click detail. Not a valid password. and detail as below the string to connect to mdb is conn = new OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source=|DataDirectory|\\mms.mdb;Jet OLEDB:Database Password=password;"); See the end of this message for details on invoking ...
3
3620
by: Nelluru | last post by:
Hi, I want to open user details or some data pages in a new window after he enters the username and password. I am able to open in a new window but the problem is that i am not able to clear the username and passwords in the parent page. In this website(bytes.com) when a member signs in, the password field is getting cleared and the member verification is done without any problem. I want to do in the same way but the next...
0
8787
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
8697
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9289
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
9158
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
9001
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
6615
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5939
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
2
2508
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
2096
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.