[fpc-pascal] Resource strings, passwords etc.

[Santiago A.]

El 12/07/2016 a las 21:39, Graeme Geldenhuys escribió:
> No, but why the hell would you want to hard-code a password inside an
> executable. Encrypt it externally and read it from a .INI file at
> runtime (or prompt for a password). Even something as simple as
> XorString() is better than nothing - compared to storing it inside your
> source code.
>
> Regards,
>   Graeme
Well, if you don't prompt the password, where do you store the password
to decrypt the externally encrypted password? ;-)

Whenever you try to hide something without storing the password in
user's brain you are just ofuscating. A hard coded password is just
another way of ofuscating strings, but with a higher level of ofuscation.

My solution to store passwords was to store de password in a .INI file
(i.e. user doesn't want to type the password, wants the program to
remember it).

The connection password was encrypted with a hard-coded password and
stored in base64 in the in file.

i.e.

implementation

Const _Password='48-49-50'; // hardcoded ofuscated 123, so in resources
it is not plain

function unofuscate(s):string;
begin
  .....
end;

procedure LoadData;
begin
  ....
  IniPassword:=unofuscate(_Password);
 
ConnectionPass:=SimpleDecrypt(Base64Decode(ini.ReadString('connection','pass','')),IniPassword);
  ....
end;

I always declared the password in the implementation section, (don't
know where I read that that way there is not a recognizable symbol
"_Password"), if I had to use it in several places, I used ($include
pass.inc}

My ofuscate function was a little more complex, and but anyway, any
system that stores passwords without human intervention is inherently
insecure.

Well, it was long time ago.

-- 
Saludos

Santiago A.
svaa at ciberpiula.net