Overview
Examples
Screenshots
Comparisons
Applications
Download
Documentation
Tutorials
Bazaar
Status & Roadmap
FAQ
Authors & License
Forums
Funding Ultimate++
Search on this site
Search in forums












SourceForge.net Logo
Home » Community » Newbie corner » Encrypting password in .ini file with aes
Encrypting password in .ini file with aes [message #45133] Sat, 12 September 2015 16:46 Go to next message
Giorgio is currently offline  Giorgio
Messages: 217
Registered: August 2015
Experienced Member
HI there,
I created my small application interacting with a MySQL database. Currently user and password are embedded in the source code. I would like to put them in an .ini file but I do not like to have the password in plain text. I decided to use AESstream to solve this problem. My concern is that I need the key in the source code to properly decode the password in the .ini file, so at the end of the day it is more or less the same than having the password in the source code (i.e. in the same way as a malicious user could decompile the source code to get the password, he could do the same to get the key and then decode the .ini file). What could be the right approach?
Thanks,
Giorgio
Re: Encrypting password in .ini file with aes [message #45134 is a reply to message #45133] Sat, 12 September 2015 22:19 Go to previous messageGo to next message
Mindtraveller is currently offline  Mindtraveller
Messages: 917
Registered: August 2007
Location: Russia, Moscow rgn.
Experienced Contributor

Hi Giorgio,

According to Kerckhoffs's principle, you can't leave any kind of key in the source code, because it is almost the same "security" as unencrypted password.
It all usually means you'll have to split into parts the information needed to construct the key. At least one part of it can't be reverse engineered from source code or app data files. The truth is everything you construct programmatically will be reconstructible and reverse engineerable. The honest solution here is to make user remember the key (or part of it) himself. More dirty solution is to make this key generated by a number of algorithms wich will just separate lazy hackers.
And the last note is about the key itself. Please don't make user's password an encryption key. It lowers security level. Please use at least this formula:
key = hash(salt + password)

Thanks
Pavel
Re: Encrypting password in .ini file with aes [message #45135 is a reply to message #45134] Sun, 13 September 2015 13:12 Go to previous message
Giorgio is currently offline  Giorgio
Messages: 217
Registered: August 2015
Experienced Member
Hi Pavel,
thank you for your really informative answer. Sadly, asking users to remember password is not a feasible option: they are machinists in a manufacturing company and could punch me on the face if I ask so Cool - literally, not joking. Anyway, the application is used only in our private network, the mySQL user has almost no rights on the DB and the password is known by almost anyone in the factory, so this is more an exercise for my programming skills than a real need. Maybe an option could be using the single sign on from the operating system.
Regards,
Giorgio
Previous Topic: Action on exit from an EditString field
Next Topic: manjaro linux and Ultimate++
Goto Forum:
  


Current Time: Sun Sep 26 23:11:22 CEST 2021

Total time taken to generate the page: 0.00812 seconds