• 0

[C#] Best encryption method for ftp password


Question

I'm building a class that manages ftp connections. I just realized when making a private string for the password that anyone could just load the program in a hex program or something and grab the password can't they? Or aren't there ways to obtain that string? It seems kind of a bad idea to just have an ftp password sitting there in plain text. But I can do a one way encryption b/c I'd have no way of decrypting it for them. Any ideas to this solution? Or is it not even a problem if it's set to private?

8 answers to this question

Recommended Posts

  • 0

If you're using standard FTP the password isn't sent encrypted during authentication. If someone wanted it they could just sniff their own network traffic and read the plain text after your program has done whatever it is it needed to do in order de-obfuscate it.

  • 0
  G0NADS said:
if you wanted to keep someone from locally reading it, consider md5 hashing the password, it wont get sent encrypted and they could sniff it if theyw anted to, but if its md5'd in the proggy then its pretty secure

How do you propose turning that hash back into the source password so that it can be used when authenticating with the FTP server?

  • 0

Really the only way to not store the password in some readable form would be to have user interaction. In other words, have someone enter the password into a dialog box or something (obviously not what you want).

Here are some things you could do (none of which are fool-proof):

1) Encode the password locally with Base64 or something, then decode it when it needs to be sent to the FTP server. At least the password wouldn't be stored in plain sight.

2) Encrypt the password with AES locally and decrypt it before sending to the FTP server. This technically is no more secure then #1, because you'd have to store your AES key somewhere, which someone could read and then use to decrypt your FTP password.

3) Store the password in an encrypted database, such as SQLite. Again, same problem as above.

These methods all add steps that would prevent the casual person browsing your code or disassembling your program from seeing the plaintext password. But I think the bottom line is that in any system where someone has access to the machine running your code, the password could be compromised. It would be important to consider who has access to that code, and what their level of computer knowledge is. If it's a casual user, then the above methods should be fine. But if it's a knowledgeable programmer, I think you're out of luck.

Also, don't forget what "the evn show" said above: if you're using the plain FTP protocol, any ol' idiot can simply sniff the password from the network traffic, which would obviate the need to encrypt the password in your code.

  • 0
  Express said:
The recommended way is to use DPAPI

See http://msdn.microsoft.com/en-us/library/ms995355.aspx

Use ProtectedData class in System.Security.Cryptography if code is in .net

Thanks for pointing that out, but doesn't it inherently suffer from the same problem (that someone with access to the code could run the same protection routines to decrypt the password)?. Also, the protected FTP passwords could not be transferred to another machine because the ProtectedData class locks it to the current computer or user.
  • 0
  boogerjones said:
that someone with access to the code could run the same protection routines to decrypt the password

Only if someone knows your username & password+has access to your system. <= Equivalent to no password!

Just Code access doesn't give away your credentials.

  boogerjones said:
the protected FTP passwords could not be transferred to another machine because the ProtectedData class locks it to the current computer or user

I consider that as a plus point from a security perspective.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • I wish one of the windows updates hadn't broken glass. Is there a workaround for that I'm not aware of?
    • OpenAI announces o3 Pro, its most intelligent reasoning model by Pradeep Viswanathan OpenAI today announced o3-pro, its flagship reasoning model that uses more compute to "think harder" and provide consistently better answers. This new model will be replacing o1-pro in ChatGPT since it consistently performs better in math, science, and coding. To help everyone make the most out of the model, o3-pro supports tool calling. So, based on the user prompt, the model can do a web search, analyze files, reason about visual inputs, use Python, personalize responses using memory, and more. This is a big improvement over o1-pro, which lacked access to tools. But the downside is that o3-pro will take more time to respond. OpenAI recommends users use o3-pro in cases where reliability matters more than speed. According to OpenAI's evaluations, users consistently preferred o3-pro's responses over o3 in key domains like science, education, programming, business, and writing help. o3-pro was also rated consistently higher for clarity, comprehensiveness, instruction-following, and accuracy. The new o3-pro model is available in ChatGPT's model picker for Pro and Team. ChatGPT's Enterprise and Edu users will get access to this latest model next week. For developers, the o3-pro model comes with a 200,000 context window and is priced at $20 per million input tokens and $80 per million output tokens. OpenAI recommends developers use background mode with o3-pro to prevent timeouts. And the model has a May 31, 2024 knowledge cutoff. The OpenAI team also noted the following as the current limitations of the o3-pro model: At the moment, temporary chats are disabled for o3-pro as we resolve a technical issue. Image generation is not supported within o3-pro—please use GPT-4o, OpenAI o3, or OpenAI o4-mini to generate images. Canvas is also currently not supported within o3-pro. As OpenAI continues to refine its models, the balance between speed and reliability will likely remain a key consideration for users choosing the right tool for their needs.
    • What annoys me is updates take forever to install on my Pixel 9 Pro XL, it was never so slow on my Samsung devices.
  • Recent Achievements

    • Reacting Well
      rshit earned a badge
      Reacting Well
    • Reacting Well
      Alan- earned a badge
      Reacting Well
    • Week One Done
      IAMFLUXX earned a badge
      Week One Done
    • One Month Later
      Æhund earned a badge
      One Month Later
    • One Month Later
      CoolRaoul earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      542
    2. 2
      ATLien_0
      269
    3. 3
      +FloatingFatMan
      209
    4. 4
      +Edouard
      203
    5. 5
      snowy owl
      140
  • Tell a friend

    Love Neowin? Tell a friend!