Hardcoded Passwords

[Darren66]

I am considering building an application which would include various users being able to ftp files to a website. I don't particularly want to give the users the login/password for ftp access to the site but at the same time I know it's not a very good idea to hardcode passwords!

 

Can anyone suggest what the best method would be to get this type of security?

Would Dotfuscator have any effect as (I am no expert on this) I think password could be intercepted when it leaves the application??

[Volte]

Dotfuscator just alters your variable and sub names and makes your code as confusing as possible so any decompiled code would be next to worthless to anyone who wasn't serious about retrieving the code.

 

Hardcoding the password in the app won't do much good and someone with a hex editor could get it out if they want. Not only that, but they could capture the data being sent out of the program with some sort of packet sniffer and possibly get the password from that (if it's not 128-bit encrypted or something).

 

Do you have any administrative rights to this FTP? If you do, you could simply set up an 'incoming' directory that people have access to upload to and don't give them any upload rights to any of the other directories. That way you could give the username and password to the users without worrying about them messing up anything else.

[Darren66]

I don't have administrative rights at the moment but I will get them and attempt what you mentioned.

Many Thanks

[Martin]

The other way to do passwords is to make them based on an encryption algorithm (use name as key or something), but if you are seriously worried about people reversing your code and taking the password, then this isnt going to help either because they can modify the JMP that takes them to the "wrong password" dialog and then bypass your security like that....