Re: Password on code - what's the best way to obfuscate it?

< ^ > P N |<>|^_>< --- | ~ ...Help
BTW, I was assuming that your application user doesn't have 
administrative access to the system where the application is hosted.

If they do, all bets are off. For example:

* They can take a copy of your script, and modify it to add "STDERR.puts 
password" at the appropriate point

* They can load their own version of Net::HTTP which prints out the 
passwords it is using

* Unless you're using HTTPS or digest authentication, they can use 
tcpdump/wireshark to look at the HTTP transaction on the wire, and 
easily see the Authorization: header which contains the cleartext 
username and password

But if you don't care about those possibilities (*), then you may as 
well use any sort of trivial password hiding, such as setting the top 
bit in each byte.

[ruby 1.8 example]

>> passwd
=> "\364\357\360\256\363\345\343\362\345\364"
>> passwd.size.times { |i| passwd[i] = passwd[i] ^ 0x80 }
=> 10
>> passwd
=> "top.secret"

[ruby 1.9 example]

>> passwd = "\364\357\360\256\363\345\343\362\345\364"
=> "\xF4\xEF\xF0\xAE\xF3\xE5\xE3\xF2\xE5\xF4"
>> passwd.size.times { |i| passwd[i] = (passwd[i].ord ^ 0x80).chr }
ArgumentError: invalid byte sequence in UTF-8
        from (irb):2:in `ord'
        from (irb):2:in `block in irb_binding'
        from (irb):2:in `times'
        from (irb):2
        from /usr/local/bin/irb19:12:in `<main>'
>> passwd.force_encoding("BINARY")
=> "\xF4\xEF\xF0\xAE\xF3\xE5\xE3\xF2\xE5\xF4"
>> passwd.size.times { |i| passwd[i] = (passwd[i].ord ^ 0x80).chr("BINARY") }
=> 10
>> passwd
=> "top.secret"

You can both hide and unhide passwords with the same code.

Regards,

Brian.

(*) This is making the (IMO risky) assessment that your users are too 
dumb to use these techniques to recover the password, and yet not so 
dumb that you'd be happy leaving the password in clear text.

There are lots of similar approaches, for example embedding a client SSL 
certificate in your application, and using certificate authentication at 
the server. This assumes your adversary is so dumb that they don't know 
how to take the private key and certificate from the app and use it 
themselves.
-- 
Posted via http://www.ruby-forum.com/.