• 0

[C#] Best encryption method for ftp password


Question

I'm building a class that manages ftp connections. I just realized when making a private string for the password that anyone could just load the program in a hex program or something and grab the password can't they? Or aren't there ways to obtain that string? It seems kind of a bad idea to just have an ftp password sitting there in plain text. But I can do a one way encryption b/c I'd have no way of decrypting it for them. Any ideas to this solution? Or is it not even a problem if it's set to private?

8 answers to this question

Recommended Posts

  • 0

If you're using standard FTP the password isn't sent encrypted during authentication. If someone wanted it they could just sniff their own network traffic and read the plain text after your program has done whatever it is it needed to do in order de-obfuscate it.

  • 0
  G0NADS said:
if you wanted to keep someone from locally reading it, consider md5 hashing the password, it wont get sent encrypted and they could sniff it if theyw anted to, but if its md5'd in the proggy then its pretty secure

How do you propose turning that hash back into the source password so that it can be used when authenticating with the FTP server?

  • 0

Really the only way to not store the password in some readable form would be to have user interaction. In other words, have someone enter the password into a dialog box or something (obviously not what you want).

Here are some things you could do (none of which are fool-proof):

1) Encode the password locally with Base64 or something, then decode it when it needs to be sent to the FTP server. At least the password wouldn't be stored in plain sight.

2) Encrypt the password with AES locally and decrypt it before sending to the FTP server. This technically is no more secure then #1, because you'd have to store your AES key somewhere, which someone could read and then use to decrypt your FTP password.

3) Store the password in an encrypted database, such as SQLite. Again, same problem as above.

These methods all add steps that would prevent the casual person browsing your code or disassembling your program from seeing the plaintext password. But I think the bottom line is that in any system where someone has access to the machine running your code, the password could be compromised. It would be important to consider who has access to that code, and what their level of computer knowledge is. If it's a casual user, then the above methods should be fine. But if it's a knowledgeable programmer, I think you're out of luck.

Also, don't forget what "the evn show" said above: if you're using the plain FTP protocol, any ol' idiot can simply sniff the password from the network traffic, which would obviate the need to encrypt the password in your code.

  • 0
  Express said:
The recommended way is to use DPAPI

See http://msdn.microsoft.com/en-us/library/ms995355.aspx

Use ProtectedData class in System.Security.Cryptography if code is in .net

Thanks for pointing that out, but doesn't it inherently suffer from the same problem (that someone with access to the code could run the same protection routines to decrypt the password)?. Also, the protected FTP passwords could not be transferred to another machine because the ProtectedData class locks it to the current computer or user.
  • 0
  boogerjones said:
that someone with access to the code could run the same protection routines to decrypt the password

Only if someone knows your username & password+has access to your system. <= Equivalent to no password!

Just Code access doesn't give away your credentials.

  boogerjones said:
the protected FTP passwords could not be transferred to another machine because the ProtectedData class locks it to the current computer or user

I consider that as a plus point from a security perspective.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • I agree with your frustrations, but after nearly a decade of Wayland ideologs debating how software they don't write should work...its time to rip the band aid of X11 off and let Wayland sink or swim on its own. Its not like Linux can just fail at this point, so devs will flock together to find solutions. It is my opinion that a lot of these silly debates about things like window decorations take place because they can. People feel like they have time to have these academic conversations to "get it right." However, the conversation will change very quickly when the issue is "###### don't work." People will quickly find fixes once we are forced into that mode. I draw a parallel to the infancy of the internet going public in the late 1980s. It became quickly apparent that IPv4 really wasn't up to the task. The ivory tower response to the issues was basically "your doing it wrong, you shouldn't want that" while debating long-off solutions like IPv6. Then some rando cames along and invited NAT, the standards people saw it as an abomination and absolutely refused to include it, he didn't care, sold the product anyway product called PIX, which he later sold to Cisco. It was not only a massive success, but it changed the entire concept of the internet, basically inventing the idea of public and privet addresses, which totally reformed the way the internet works. The standards guys were forced to adopt it once they realized it was impossible to put the cat back in the bag.
    • Download How to Engage Buyers and Drive Growth in the Age of AI (worth $22.95) for free by Steven Parker Claim your complimentary eBook worth $22.95 for free, before the offer ends on July 1. Develop stronger, more profitable relationships with your buyers in the digital era. Right now, how we buy and sell is evolving dramatically. People have fundamentally changed the way they do business. To put it simply: buyers no longer interact with sellers in the same way. To ensure a profitable future, sales leaders and teams need to embrace this transformation. In the face of globalisation, ecommerce, subscription services, and new digital tools for buyers and sellers alike, you need new strategies to generate successful sales and better bottom lines. Deep Selling shares the cutting-edge sales model you need to create a buyer-obsessed, high-performance culture. Your team urgently needs to embrace the growing suite of digital and AI technologies. But new technologies alone won’t solve all your selling problems. To really maximise your success, you need to evolve your selling frameworks and behaviours. You need to use these new tools in smart ways, embedding them into your sales execution models. In this book, you’ll discover how to: Audit the current sales techniques and cycles in your organisation Transform your sales execution models Achieve organisational buy-in through new performance measures and shared goals for success Use data to drive strategy, and revolutionise your selling with the latest digital and AI tools Build deeper buyer relationships that create more value and improve buyer outcomes With Deep Selling, you and your team will learn how to meet buyers on today’s real-world terms — and engage them more fully and successfully than ever before. This free to download offer expires July 1. How to get it Please ensure you read the terms and conditions to claim this offer. Complete and verifiable information is required in order to receive this free offer. If you have previously made use of these free offers, you will not need to re-register. While supplies last! Download How to Engage Buyers and Drive Growth in the Age of AI (worth $22.95) for free Offered by Wiley, view other free resources The below offers are also available for free in exchange for your (work) email: Excel Quick and Easy ($12 Value) FREE – Expires 6/24 The Inclusion Equation: Leveraging Data & AI ($21 Value) FREE – Expires 6/24 Microsoft 365 Copilot At Work ($60 Value) FREE – Expires 6/25 Natural Language Processing with Python ($39.99 Value) FREE – Expires 6/25 How to Engage Buyers and Drive Growth in the Age of AI ($22.95 Value) FREE – Expires 7/1 Using Artificial Intelligence to Save the World ($30.00 Value) FREE – Expires 7/1 Essential: How Distributed Teams, Generative AI, [...] ($18.00 Value) FREE – Expires 7/2 The Chief AI Officer's Handbook: Master AI leadership with strategies to innovate, overcome challenges, and drive business growth ($9.99 Value) FREE for a Limited Time – Expires 7/2 The Ultimate Linux Newbie Guide – Featured Free content Python Notes for Professionals – Featured Free content Learn Linux in 5 Days – Featured Free content Quick Reference Guide for Cybersecurity – Featured Free content We post these because we earn commission on each lead so as not to rely solely on advertising, which many of our readers block. It all helps toward paying staff reporters, servers and hosting costs. Other ways to support Neowin The above deal not doing it for you, but still want to help? Check out the links below. Check out our partner software in the Neowin Store Buy a T-shirt at Neowin's Threadsquad Subscribe to Neowin - for $14 a year, or $28 a year for an ad-free experience Disclosure: An account at Neowin Deals is required to participate in any deals powered by our affiliate, StackCommerce. For a full description of StackCommerce's privacy guidelines, go here. Neowin benefits from shared revenue of each sale made through the branded deals site.
    • Totally off topic, but... I have poked around with Ubuntu a few times, it works as expected, but I never was really into the ultra-minimalist UI. I much prefer Kubuntu! KDE feels far more at home to me than Gnome. Not just because it is more Windows-like, but because its approach of putting things on the screen to see, instead of hiding them and making you search feels so much more approachable.
    • Just tested: Disabled all the options in Advanced System Settings, except "smooth screen fonts", and the performance difference on my Ryzen 7 with 64gb memory is 100% noticeable.
    • Its a big deal man :-) I remember when it was a mini-tech controversy that Windows had a "recycle bin" instead of a trashcan, and then again when the Vista recycle bin looked a lot like the Mac OS X trashcan.
  • Recent Achievements

    • Week One Done
      fredss earned a badge
      Week One Done
    • Dedicated
      fabioc earned a badge
      Dedicated
    • One Month Later
      GoForma earned a badge
      One Month Later
    • Week One Done
      GoForma earned a badge
      Week One Done
    • Week One Done
      ravenmanNE earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      656
    2. 2
      Michael Scrip
      226
    3. 3
      ATLien_0
      219
    4. 4
      +FloatingFatMan
      146
    5. 5
      Xenon
      137
  • Tell a friend

    Love Neowin? Tell a friend!