[Tutor] How to obfuscate a database password. (fwd)

[Alan Gauld]

> I am not necessarily talking about passwords for users but about the
> password that is used for connecting to the database. In a compiled
> language you would have to look pretty hard in a dll to find where
the
> password had been encoded.

IT would be insanely bad practice to embed the password in the code,
compiled or not. (And in fact its very easy to strip all the strings
out of a compiled executable - the strings command on unix does
exactly that...) BUt the real problem is that if the database gets
hacked the database administrator can't change the pasword unless
he can also edit the application source code and rebuild it!

It is normal practice to have the password stored in a text file
(that may be encrypted) and read it on startup of the program, or
better still to pass the login details(username and password) in
as startup command line parameters. That way the application
can access multiple databases etc, or different tablespaces in
the same instance etc etc. It's much more flexible and powerful
as well as being much more secure.

HTH,

Alan G
Author of the Learn to Program web tutor
http://www.freenetpages.co.uk/hp/alan.gauld