Database Password Exposed

If your source code is available to read, I suspect no. String constants in exe files can be easily extracted so if you want to "hide" the password in the exe then you can build it at run time a character or two at a time, even using conversion from numeric values to further obscure the actual password.

Thanks for the reply.

Can you please elaborate more how can I actually do that?

Thanks!

Sure. Take the console app:

Module Module1

    Sub Main()

        Dim password As String = "mypass"
        Console.WriteLine("password=" & password)

        password = Chr(115)
        password &= Chr(101)
        password &= Chr(99)
        password &= Chr(114)
        password &= Chr(101)
        password &= Chr(116)
        Console.WriteLine("password=" & password)

    End Sub

End Module

When you run it you will get the output

password=mypass
password=secret

If you extract the string values from the exe file (I use strings.exe, a tool from the excellent SysInternals Suite available free here) you can see the string "mypass" but not the constructed string "secret".

Please note that if you build "secret" in one line of code like

password = Chr(115) & Chr(101) & Chr(99) & Chr(114) & Chr(101) & Chr(116)

The compiler will optimize this to

password = "secret"

and, therefore, the string will be available for detection. The above method does not prevent someone extracting the string by examining the machine code with a disassembler or a debugger but it does add a level of obfuscation to prevent casual sleuthing.

Thanks for the tip!

Much appreciated.

Any time. Please mark this as solved if we are done.