Re^2: Keeping a password safe.

Hi Moritz,

Thanks for response.

I guess it's true to some extent. It's interesting that Windows, where you don't have access to the source code, generally has more security issues than Linux where you do. But even with Windows you have to be a serious hacker to get into it properly: I couldn't do it, for example.

I don't need bank-level security with remote chip and PIN, however, some ordinary commercial-grade security would be nice.

Regards,

Steve

Comment on Re^2: Keeping a password safe.

Replies are listed 'Best First'.
Re^3: Keeping a password safe. by moritz (Cardinal) on Jun 11, 2012 at 09:01 UTC
Your analogy misses an important point. To compromise a windows system, you have to find a new vulnerability, which isn't easy. But to get access a password that a program uses for accessing an FTP server, all one has to do is to monitor the network traffic. There are even tools that automatically sniff out passwords from traffic dumps. Even if you use a more sophisticated approach (like ftp over ssl), the password needs to be in plain text in the memory of your application, and using a debugger it's not hard work to find it out. So since the technical avenue is closed for you, I'd recommend to hand out the passwords to your users, and forbid them (in your terms of service) to give it to third parties. Since you want to protect the downloads, I infer that you sell your software commercially, so you already have some form of direct contact with your customers. If you want to be a bit more careful, give out different passwords to different users, so that you can easily diable one of them if you suspect abuse. Note that any "clever" solution which tries to obfuscate the password will make debugging much harder in case something goes wrong (and something always goes wrong). Perl 6 - the future is here, just unevenly distributed	[reply]

Replies are listed 'Best First'.

Re^3: Keeping a password safe.
by moritz (Cardinal) on Jun 11, 2012 at 09:01 UTC

Your analogy misses an important point. To compromise a windows system, you have to find a new vulnerability, which isn't easy.

But to get access a password that a program uses for accessing an FTP server, all one has to do is to monitor the network traffic. There are even tools that automatically sniff out passwords from traffic dumps.

Even if you use a more sophisticated approach (like ftp over ssl), the password needs to be in plain text in the memory of your application, and using a debugger it's not hard work to find it out.

So since the technical avenue is closed for you, I'd recommend to hand out the passwords to your users, and forbid them (in your terms of service) to give it to third parties. Since you want to protect the downloads, I infer that you sell your software commercially, so you already have some form of direct contact with your customers.

If you want to be a bit more careful, give out different passwords to different users, so that you can easily diable one of them if you suspect abuse.

Note that any "clever" solution which tries to obfuscate the password will make debugging much harder in case something goes wrong (and something always goes wrong).

Perl 6 - the future is here, just unevenly distributed

[reply]