[windev] Passwords in MFC executables
Tim Lesher
tlesher at gmail.com
Tue Mar 17 12:53:53 GMT 2009
On Tue, Mar 17, 2009 at 08:46, <truckleaj-windev at yahoo.co.uk> wrote:
> Hello
>
> Can someone please clarify for me:
>
> I have a CEdit control with the ES_PASSWORD property set.
>
> In EN_CHANGE handler I do:
>
> UpdateData(TRUE)
> m_btnOK.EnableWindow(m_strPassword==_T("SomeValue");
>
> This appears to work fine. But how "secure" is that?
>
> Can someone easily examine my EXE file to locate "SoomeValue"?
Yes, very easily. One step better would be not to encode the value in
plain text, but to use a one-way hash, and store the binary value.
Then hash the password the user enters, and compare the hashes.
That's still light duty for someone with a debugger and rudimentary
reverse engineering skills, but it's an easy step to take that raises
the bar a little.
--
Tim Lesher <tlesher at gmail.com>
More information about the Windev
mailing list