hack/crack concerns

**slice** · Feb 22nd, 2006, 07:05 AM

I want to know your opinions about the validity of my doubt.If i need to put database username and password of website in visual basic program.Then would it create security concerns or not?

**NoteMe** · Feb 22nd, 2006, 07:16 AM

If you do it in plain text then yes.

- ØØ -

**Hack** · Feb 22nd, 2006, 07:18 AM

Originally Posted by slice

I want to know your opinions about the validity of my doubt.If i need to put database username and password of website in visual basic program.Then would it create security concerns or not?

Are you talking about hardcoding them into the connection string?

**DeadEyes** · Feb 22nd, 2006, 07:19 AM

Any hardcoded string values stored in a visual basic app can be read by another program like process explorer and there are probably apps that can read anything stored in memory but I don't know for certain.

**NoteMe** · Feb 22nd, 2006, 07:58 AM

Originally Posted by DeadEyes

Any hardcoded string values stored in a visual basic app can be read by another program like process explorer and there are probably apps that can read anything stored in memory but I don't know for certain.

You just have to deasemply it to read that string. Hardcoded strings are easy to find. An other dead sind is to check equality between two string.

IE: User inputs "blahblah"

your app test:

userinput == pasword.

that will be an easy target too. Better way would be to encrypt password. Then decrypt on the fly userinput, and check that against the encryptet pasword without decrypt it. A bit loke MD5.

- ØØ -

**slice** · Feb 23rd, 2006, 07:29 AM

Then would is its best and safe way to do?
Because i have to write username and password for giving it access to reach database so it would be somewhere in vb code.

**oldbear** · Feb 23rd, 2006, 07:36 AM

Hi

First, if this is SQL Server, then use Windows authentication. This means:
no hiding of passwords
no passing of passwords across network
windows auditing of events in sql server

Always try to avoid SQL auth. I won't sign off a security design that includes SQL authentication.

However, if you're trying to access other databases, then you may not have this option.

If you wish to store secrets, then use the Data Pro0tection API (DPAPI). Here is an explanation of how to use it. It's fairly complex:

http://msdn.microsoft.com/security/d...SecNetHT00.asp

Look at the How To sections under the heading 'cryptography'

Hope this helps

Chris Seary

**slice** · Feb 23rd, 2006, 09:39 AM

it is php and mysql.

**Unknown123** · Feb 23rd, 2006, 09:54 AM

Almost any program made in Visual Basic is easy to crack.

**penagate** · Feb 23rd, 2006, 11:33 AM

That's not even remotely correct.

**sevenhalo** · Feb 23rd, 2006, 11:41 AM

Maybe the ones you build

Penagate's right. VB6 has had a long standing reputation for being difficult to decompile. Not that it's impossible, but it's not like opening the exe in notepad and finding the connection string.

**Unknown123** · Feb 23rd, 2006, 01:26 PM

Originally Posted by sevenhalo

Maybe the ones you build

Penagate's right. VB6 has had a long standing reputation for being difficult to decompile. Not that it's impossible, but it's not like opening the exe in notepad and finding the connection string.

Every Visual Basic program I've seen has been easy to crack. You can disassemble and debug them extremely easily. And even with a lot of 'professional' programs, yes, it is just like opening it in notepad and finding the string, if you have the right tools.

**oldbear** · Feb 23rd, 2006, 04:32 PM

Hey

As I said before, if you need to keep something secret, then use the DPAPI.

You're not relying on hiding the secret within the code or a resource file.

You're relying on the encryption algorithm. The encryption key is related to your password. It uses 3DES to do the encryption.

It's safe, because it's computationally infeasible to be break the algorithm.
Don't ever try to rely on obfuscation or any other way of hiding secrets.

Security through obscurity is no security at all.

Hope this helps

Chris Seary

**slice** · Feb 24th, 2006, 02:04 AM

Originally Posted by oldbear

Hey

As I said before, if you need to keep something secret, then use the DPAPI.

You're not relying on hiding the secret within the code or a resource file.

You're relying on the encryption algorithm. The encryption key is related to your password. It uses 3DES to do the encryption.

It's safe, because it's computationally infeasible to be break the algorithm.
Don't ever try to rely on obfuscation or any other way of hiding secrets.

Security through obscurity is no security at all.

Hope this helps

Chris Seary

Some more detail would be really helpful for me.

**oldbear** · Feb 24th, 2006, 03:53 AM

Hi

Here's the link:

http://msdn.microsoft.com/security/.../SecNetHT00.asp

Look at the 'How To' sections under the heading 'cryptography'.

This tells you everything - even gives code samples. The document 'Building Secure ASP.Net Applications' (download the pdf from the MSDN Security site) contains all of these articles, with lots of explanation and diagrams.

Also, the Microsoft Enterprise Libraries (only for .Net) allow you to use the DPAPI quite easily. Here's a link to using it:

http://www.pnplive.com/Slides/22MAR2...%20Webcast.ppt

You could write what you need in .Net, and then expose it to COM via a CCW.

Here is another article exploring the underlying method calls of the DPAPI.

Hope this helps

Chris Seary

Thread: hack/crack concerns

Thread Tools

Display

hack/crack concerns

Re: hack/crack concerns

Re: hack/crack concerns

Re: hack/crack concerns

Re: hack/crack concerns

Re: hack/crack concerns

Re: hack/crack concerns

Re: hack/crack concerns

Re: hack/crack concerns

Re: hack/crack concerns

Re: hack/crack concerns

Re: hack/crack concerns

Re: hack/crack concerns

Re: hack/crack concerns

Re: hack/crack concerns

Posting Permissions