Protecting the Database
Talking of Security I recalled a method that most developers use to protect the database files, protecting them with long passwords. Long so that if a hacker takes to brute force hacking, he will take years to crack it. While some of developers succeed in their intent, some of them open new doors for hackers to get the password, the application that calls the database.
How secure or cryptic may be your password, if your application calls the database you will require including your password in it, and if the hacker has access to the application/executable he has a way to get the password.
A dedicated hacker can disassemble the executable, dig into the assembly code and get out with the password. The intent of this post is not to stop such hackers, which is hard near to impossible, but to stop casual ones who can get away with your password using DOS EDIT or MS Word!
EDIT, Word! Seems funny!! But that’s true!!!
Many developers connect to database in application using connection strings similar to
“Port=3306;Option=4;Database=MyDatabase;Uid=MyUsername;Pwd=MyPassword;”
While your application code comes out encrypted in the executable, the strings are stored as it is and anyone anyone! can open the executable in EDIT and view the password from the human readable strings. MS Word goes ahead providing user to open the executable with option “Recover Text from Any file (*.*)” in “Files of type”, which shows up all texts removing zero bytes etc making the text “Pwd” searchable.
Hope I was clear in explaining. Now to avoid such instances it is advisable to build the password in a variable using ways that does not open the exact characters say using CHR() and append the password to connection string. Better still if you can implement an algorithm in the application to generate the password (not random, but a single one) and use that password to protect the database.
The steps discussed above do not guarantee stopping dedicated hackers from getting your password (who can still do it by disassembling), but at least protect the password being hacked by anyone!
