------------------------------------------------------------------------------- Passwords stored in programs While I can not condone the storing of passwords in programs be it in scripts (shell, perl, etc) or hardcoded in C-Programs Really it is very very difficult to get away from it. The problem is that program must be able to get a password, and asking the user for one all the time is not very convenient. The typical solution is the use of keyring daemons and agents which has already been given a password to decrpt the 'keys' (passwords and other info) that programs need to do their task. Well known examples of such programs is... * "ssh-agent" program for handling and passing ssh public keys. * Gnome Keyring, which typically encrypts its data using the users password on login, OR requests it on first use, OR is unencrypted. However daemon services such as web servers, and web clients whcih must run when the machine boots without a user presence, makes this much more difficult. In this case the password is typically saved to disk in a permission restricted file, which may or may not be encrypted. But then it comes back to encrypting using a password stored in a program or script. Basically the only real way to protect a password is with.. a password! And that needs to come from somewhere. ------------------------------------------------------------------------------- Obfuscation by lookup If you have a large file that you can gurantee will not change the you can use that file to generate the password to decrypt the real password. For example... * lookup and concatinate the lines X,Y,Z from /usr/share/dict/words lines * Use a MD5 hash of the whole external file. As long as the file does not change the starting password to decrypt the real password can be determined. Unless the source is available or easilly readable then this method of password obfuscation can be difficult to figure out. -- A variation of this is to have a block of code be used as the source. This way it is in the program itself. But means that you much never change that part of the code. some_function() { } type some_function | md5sum | ... decryption_routine WARNING: using "type" in a shell script may be different for different shells and version. That is an upgrade could break the starting password. Similarly in C programs, different recomplies and machines may have different defaults. ------------------------------------------------------------------------------- Use a reversible algorithmic hashing. For example.. echo 1468369091346906859060166438166794P | dc Or the really simple base64 encoding. The '=' at the end tends to give the obfuscation away secret="cGFzc3dkCg==" perl -e 'use MIME::Base64; print decode_base64("'"$secret"'");' You can even make use of some very obscuated perl... s''(q.S:$/9=(T1';s;(..)(..);$..=substr+crypt($1,$2),2,3;eg;print$..$/ The above converts 3 sets of 4 characters in "(q.S:$/9=(T1" into 3 x 3 character sequences "liverpole" ------------------------------------------------------------------------------- Use something intrinsic to the host for example; hostname, hostid, Ethernet mac address Of course don't use that directly but hash, or obfuscate it further. Note however that this method means that the program can not get the real password if the program and its configuration moves to another machine. At least not without letting this linkage become public knowledge to system programmers. -- An example of this is the classic software licence daemon, though rather that passwords, the licence was public key encrypted based on the hostid of the machine software was licenced for. -------------------------------------------------------------------------------