[Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?

[blu at nedharvey.com (Edward Ned Harvey (blu))]

> From: Discuss [mailto:discuss-bounces+blu=nedharvey.com at blu.org] On
> Behalf Of Kent Borg
> 
> My program already has to hope that its program files are secured by the
> hosting OS, but at least if it isn't opening up a network port it stays
> a rather contained problem.

Depends on a lot of stuff.  What language?  Running on a system you own, or deployed to someone else, etc?  

Normally, passwords that your app needs in order to connect to some other thing should be stored in a config file.  Ideally, it should be an OS-encrypted store, for example in C# I would use ProtectedData.  This encrypts the file on disk using a complex set of login stuff to derive a key specific to the logged in user - or in mono, the mono MRE generates random keys and stores them in a protected subdir in the users' home dir, so once again it's protected to the logged in user.