Password extractable from executable code?

Question

If a password is hard-coded into a variable in source code such as VB, could someone extract this password by looking at the compiled executable code?

If so, what can be done to avoid this?

Answer 1

Yes, someone could.

Nothing can be done to avoid it. Obfuscation will make it slightly harder.

In the worst case, if someone didn't understand your obfuscated code, they could run your executable in a debugger and read the password from memory just before you use it.

The solution is, of course, not to hard-code important passwords into your binaries.

Answer 2

Yes. The password could be found by watching the program execute in a debugger. If you do nothing, it might even be possible to find by searching for text in the binary file.

What can be done? There are anti-debugging techniques like obfuscation or anti-tampering mechanisms that will cause the executable to blow up when debugged. Obfuscation is probably easy to implement. Anti-tampering will be difficult.