Re^3: How to hide a password in a script?

Here's why it won't work: no matter how you obfuscate the password and the code to unobfuscate it, the program will still be able to generate the password. And that's where "Red Team" will strike. Observe:

sub run
{
    do_something();
    my $data = get_data();
    system("externalprogram -p $data");
}


sub get_data
{
    $data = unobfuscate();
    return $data;
}
[download]

Along comes "Red Team" and tries to crack the system. They read the manual for "externalprogram" and find out that the "-p" flag is for the password, so they edit the run() subroutine to this:

sub run
{
    do_something();
    my $data = get_data();
    print "DING DING DING! PASSWORD = $data DING DING!\b";
    system("externalprogram -p $data");
}
[download]

If they have access to the script which generates the password, they can find out what the password is, no matter how you obfuscate it.

Probably the best you can do is to chmod go-rwx script. Then they'll have to crack the user account or root to read the script.

Comment on Re^3: How to hide a password in a script? Select or Download Code

Replies are listed 'Best First'.
Re^4: How to hide a password in a script? by dataking (Acolyte) on Aug 06, 2004 at 18:48 UTC
beable said --> "Probably the best you can do is to chmod go-rwx script. Then they'll have to crack the user account or root to read the script. " That's a given. ;)	[reply]


There's more than one way to do things
	PerlMonks