comment on

Here's why it won't work: no matter how you obfuscate the password and the code to unobfuscate it, the program will still be able to generate the password. And that's where "Red Team" will strike. Observe:

sub run
{
    do_something();
    my $data = get_data();
    system("externalprogram -p $data");
}


sub get_data
{
    $data = unobfuscate();
    return $data;
}
[download]

Along comes "Red Team" and tries to crack the system. They read the manual for "externalprogram" and find out that the "-p" flag is for the password, so they edit the run() subroutine to this:

sub run
{
    do_something();
    my $data = get_data();
    print "DING DING DING! PASSWORD = $data DING DING!\b";
    system("externalprogram -p $data");
}
[download]

If they have access to the script which generates the password, they can find out what the password is, no matter how you obfuscate it.

Probably the best you can do is to chmod go-rwx script. Then they'll have to crack the user account or root to read the script.

In reply to Re^3: How to hide a password in a script? by beable
in thread How to hide a password in a script? by dataking

Are you posting in the right place? Check out Where do I post X? to know for sure.
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
Want more info? How to link or How to display code and escape characters are good places to start.


Pathologically Eclectic Rubbish Lister
	PerlMonks