Re: How good an encryption algorithm is this?

From: Alex (sdfjkhsdkh_at_ksfjdkjwdfsklj.nowhere)
Date: 11/24/04 

Date: Wed, 24 Nov 2004 10:21:28 -0500

"Bonj" <benjtaylor at hotpop d0t com> wrote in
news:#td8ILa0EHA.3972@TK2MSFTNGP12.phx.gbl:

>
>> If you're using ODBC to communicate with SQL Server, you probably
>> pass the password to SQLConnect, so whoever has access to the
>> computer and curious enough can just look what your application
>> passes.
>
> But surely they'd need to understand how to disassemble machine
> language into assembly and understand where the "pass" takes place
> in order to do that?
No, unless you link with ODBC statically. Against dynamic library one
can just drop proxy DLL on that computer.

> Thus wouldn't be able to be done by a layman...
> At the end of the day, if Bloke A's rival, Bloke B, were to sneak
> onto Bloke A's computer at lunch time, he could technically run
> whatever SQL he liked just by starting up my program (that the
> password encryption security is a minor part of), and running it
> on the server through the application's interface. But, the crux
> is, Bloke A would return from lunch, discover Bloke B had done
> something, and immediately change his password, and make sure he
> locked his terminal in future - the real question is could Bloke B
> download a program from the internet, load it onto Bloke A's
> computer, point it at the registry and my program's application
> directory, and hey presto, he actually *discovers* the password,
> to use at his own leisure, from his own computer.
Wouldn't it be easier to just copy the registry entry "as is" and
bring it to his computer? If you're trying to protect against it, you
need, as a minimum, to encrypt using a key unique to the computer
(for example, through the hash of the mac address, or hard drive id)

Alex.