in reply to Re^2: How to hide a password in a script?
in thread How to hide a password in a script?
Here's why it won't work: no matter how you obfuscate the password and the code to unobfuscate it, the program will still be able to generate the password. And that's where "Red Team" will strike. Observe:
sub run { do_something(); my $data = get_data(); system("externalprogram -p $data"); } sub get_data { $data = unobfuscate(); return $data; }
Along comes "Red Team" and tries to crack the system. They read the manual for "externalprogram" and find out that the "-p" flag is for the password, so they edit the run() subroutine to this:
sub run { do_something(); my $data = get_data(); print "DING DING DING! PASSWORD = $data DING DING!\b"; system("externalprogram -p $data"); }
If they have access to the script which generates the password, they can find out what the password is, no matter how you obfuscate it.
Probably the best you can do is to chmod go-rwx script. Then they'll have to crack the user account or root to read the script.