By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
432,175 Members | 1,689 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 432,175 IT Pros & Developers. It's quick & easy.

Embed username/password/etc. in exe at install time.

P: n/a
Hello:

We have a request for an console application to change the
administrative password on our user's machines during an upcoming
update. The console application will be called from a batch file that
the users will be able to see. Therefore, we can't put the user name/
password in the batch file or plain text in the executable. Finally,
the request specifically asked that the executable be configurable so
they can put other user name/passwords in later.

How can I recieve a user name/password and embed it in an executable?
I was thinking of having a separate file with the encrypted data in
it. However, I would prefer for there to be just the .exe. I also
don't want to create an installer, because it is just a console
application.

How do I do it?

Thanks,
Travis
Jan 8 '08 #1
Share this Question
Share on Google+
5 Replies


P: n/a
je**********@gmail.com wrote:
Hello:

We have a request for an console application to change the
administrative password on our user's machines during an upcoming
update. The console application will be called from a batch file that
the users will be able to see. Therefore, we can't put the user name/
password in the batch file or plain text in the executable. Finally,
the request specifically asked that the executable be configurable so
they can put other user name/passwords in later.

How can I recieve a user name/password and embed it in an executable?
I was thinking of having a separate file with the encrypted data in
it. However, I would prefer for there to be just the .exe. I also
don't want to create an installer, because it is just a console
application.

How do I do it?

Thanks,
Travis
Why not store it in registry or a similar place?

Or do you intend to brand the file and then copy it to the target
machine? Perhaps you could just tuck the data onto the end of the file,
like this:

[ exe file contents ][ your data ][ size of your data as Int32 ]

If you build a small program to take the username/password, encrypt it
or otherwise make it less-than-readable, build a byte array, and store
it at the end, you can easily read it back in. The size at the end is
just for simplicity as you can now just read the last 4 bytes of the
file as an Int32, and use that to calculate back into the file.

I don't know how this would play with signing a file.

--
Lasse Vågsæther Karlsen
mailto:la***@vkarlsen.no
http://presentationmode.blogspot.com/
Jan 8 '08 #2

P: n/a
Travis,

Ultimately, this is an exercise in futility. The administrators should
be changing the passwords by hand.

Because you don't want the passwords to be in plain text (so others
can't see, I assume), you would encrypt the file. However, to do that, you
need an encryption key. So you embed the encyrption key into the
application (or the application constructs it from other data available to
it). However, the application can be decompiled.

So you obfuscate it. Unfortunately, there is no foolproof way to
obfuscate your code, and you run the risk of potentially breaking your code
or changing how it works due to the obfuscation process.

And even then, obfuscation is a cat and mouse game. No matter what you
do (even if you compile a native binary), you will always be able to figure
out what the code is going to do.

Ultimately, there is no way that this will be secure, and the password
administration should be handled by other means.

--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

<je**********@gmail.comwrote in message
news:53**********************************@e4g2000h sg.googlegroups.com...
Hello:

We have a request for an console application to change the
administrative password on our user's machines during an upcoming
update. The console application will be called from a batch file that
the users will be able to see. Therefore, we can't put the user name/
password in the batch file or plain text in the executable. Finally,
the request specifically asked that the executable be configurable so
they can put other user name/passwords in later.

How can I recieve a user name/password and embed it in an executable?
I was thinking of having a separate file with the encrypted data in
it. However, I would prefer for there to be just the .exe. I also
don't want to create an installer, because it is just a console
application.

How do I do it?

Thanks,
Travis

Jan 8 '08 #3

P: n/a
What are your thoughts about creating a webservice which returns a random
password, and logs it at "IT Central" tied to the client that got the
password? This was my first thought, and so I'm currious what you think.

"Nicholas Paldino [.NET/C# MVP]" wrote:
Travis,

Ultimately, this is an exercise in futility. The administrators should
be changing the passwords by hand.

Because you don't want the passwords to be in plain text (so others
can't see, I assume), you would encrypt the file. However, to do that, you
need an encryption key. So you embed the encyrption key into the
application (or the application constructs it from other data available to
it). However, the application can be decompiled.

So you obfuscate it. Unfortunately, there is no foolproof way to
obfuscate your code, and you run the risk of potentially breaking your code
or changing how it works due to the obfuscation process.

And even then, obfuscation is a cat and mouse game. No matter what you
do (even if you compile a native binary), you will always be able to figure
out what the code is going to do.

Ultimately, there is no way that this will be secure, and the password
administration should be handled by other means.

--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

<je**********@gmail.comwrote in message
news:53**********************************@e4g2000h sg.googlegroups.com...
Hello:

We have a request for an console application to change the
administrative password on our user's machines during an upcoming
update. The console application will be called from a batch file that
the users will be able to see. Therefore, we can't put the user name/
password in the batch file or plain text in the executable. Finally,
the request specifically asked that the executable be configurable so
they can put other user name/passwords in later.

How can I recieve a user name/password and embed it in an executable?
I was thinking of having a separate file with the encrypted data in
it. However, I would prefer for there to be just the .exe. I also
don't want to create an installer, because it is just a console
application.

How do I do it?

Thanks,
Travis


Jan 8 '08 #4

P: n/a
On Jan 8, 8:33*am, Lasse Vågsæther Karlsen <la...@vkarlsen.nowrote:
jehugalea...@gmail.com wrote:
Hello:
We have a request for an console application to change the
administrative password on our user's machines during an upcoming
update. The console application will be called from a batch file that
the users will be able to see. Therefore, we can't put the user name/
password in the batch file or plain text in the executable. Finally,
the request specifically asked that the executable be configurable so
they can put other user name/passwords in later.
How can I recieve a user name/password and embed it in an executable?
I was thinking of having a separate file with the encrypted data in
it. However, I would prefer for there to be just the .exe. I also
don't want to create an installer, because it is just a console
application.
How do I do it?
Thanks,
Travis

Why not store it in registry or a similar place?
The registry is too permanent. I am a little concerned putting
anything password-like in the registry, encrypted or not. If an error
should occur, I might end up with that registry key filled even after
my application bombs out. This is meant to be a simple, stand-alone
console application.
>
Or do you intend to brand the file and then copy it to the target
machine? Perhaps you could just tuck the data onto the end of the file,
like this:

[ exe file contents ][ your data ][ size of your data as Int32 ]

If you build a small program to take the username/password, encrypt it
or otherwise make it less-than-readable, build a byte array, and store
it at the end, you can easily read it back in. The size at the end is
just for simplicity as you can now just read the last 4 bytes of the
file as an Int32, and use that to calculate back into the file.
If I understand, you are suggesting putting extra bytes on the end of
my executable. I suppose that would eliminate the need for a separate
file; however, I am not willing to go to that extreme if using an
application setting file is more approachable. Thanks for the idea
though.
>
I don't know how this would play with signing a file.

--
Lasse Vågsæther Karlsen
mailto:la...@vkarlsen.nohttp://presentationmode.blogspot.com/- Hide quotedtext -

- Show quoted text -
Thanks for the ideas.

Jan 8 '08 #5

P: n/a
You could do that, but then you have to worry about "IT Central" having
the password and how secure that storage mechanism is. The fact of the
matter is that you are storing passwords somewhere, and you have to take
into account the security of that system.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

"Family Tree Mike" <Fa************@discussions.microsoft.comwrote in
message news:42**********************************@microsof t.com...
What are your thoughts about creating a webservice which returns a random
password, and logs it at "IT Central" tied to the client that got the
password? This was my first thought, and so I'm currious what you think.

"Nicholas Paldino [.NET/C# MVP]" wrote:
>Travis,

Ultimately, this is an exercise in futility. The administrators
should
be changing the passwords by hand.

Because you don't want the passwords to be in plain text (so others
can't see, I assume), you would encrypt the file. However, to do that,
you
need an encryption key. So you embed the encyrption key into the
application (or the application constructs it from other data available
to
it). However, the application can be decompiled.

So you obfuscate it. Unfortunately, there is no foolproof way to
obfuscate your code, and you run the risk of potentially breaking your
code
or changing how it works due to the obfuscation process.

And even then, obfuscation is a cat and mouse game. No matter what
you
do (even if you compile a native binary), you will always be able to
figure
out what the code is going to do.

Ultimately, there is no way that this will be secure, and the
password
administration should be handled by other means.

--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com

<je**********@gmail.comwrote in message
news:53**********************************@e4g2000 hsg.googlegroups.com...
Hello:

We have a request for an console application to change the
administrative password on our user's machines during an upcoming
update. The console application will be called from a batch file that
the users will be able to see. Therefore, we can't put the user name/
password in the batch file or plain text in the executable. Finally,
the request specifically asked that the executable be configurable so
they can put other user name/passwords in later.

How can I recieve a user name/password and embed it in an executable?
I was thinking of having a separate file with the encrypted data in
it. However, I would prefer for there to be just the .exe. I also
don't want to create an installer, because it is just a console
application.

How do I do it?

Thanks,
Travis



Jan 8 '08 #6

This discussion thread is closed

Replies have been disabled for this discussion.