Reading binary files with notepad?

[OmarShehata]

I'm at a point where I need a certain Lua file to not be very easily accessible. Why you might ask?

My Setup

I have a login system set up on a server. All my Lua code does is make an http request to a php file, sending a username and password, and the server tells me if they are correct. Since authentication and everything is handled on the server, everything should be secure client-side.

The Problem

Now I want to store the username and password for convenience, so the user doesn't have to enter them every time they open my game/launcher. However, I don't want to just store them as plain text. I thought I could simply hash or encrypt them in some way, but no matter what I do, as long as the person can read the code, he can figure out how to decrypt it really easily.

So I thought to compile just the encryption/decryption function into binary, with string.dump, and then run it with dofile and such. And I was happy to see this is what the file looks like when you open it in sublime

Now to my horror, when I try opening it with notepad, I get:



The code's just..there, with a bunch of extra jumbled stuff. This is the original file I was testing with:

Code: Select all

local Encrypt = {};

function Encrypt:Lock(user,pass)
	print('a')
end

function Encrypt:Unlock()
	--return user and pass
end

return Encrypt;

How is it so easy to just..see the code?

When I try the same thing with LuaC, it only shows the function names in notepad. But the binary code from LuaC isn't compatible with LuaJIT's.

So the question

Are there any tricks to just make it harder for someone to steal the user and password even if you know where they are stored on the computer? It's just an added level of security.

Thanks in advance for your time!

[Plu]

I don't think any other program really does this, and I can't really find a good answer for it. There's really no way to secure something in such a way that the program can figure out the credentials (which it needs in order to log in) while at the same not allowing a user who has access to that very same program which can figure out the credentials to do the same thing.

Even your browser just stores all of your passwords for websites and the like as easily accessible data.

I mean; in the very worst case the user could just open up your program, find the place where it logs in, and then add a 'print' statement to output the credentials it's using and there you go. There's no stopping that.

[OmarShehata]

I don't think any other program really does this, and I can't really find a good answer for it. There's really no way to secure something in such a way that the program can figure out the credentials (which it needs in order to log in) while at the same not allowing a user who has access to that very same program which can figure out the credentials to do the same thing.

Even your browser just stores all of your passwords for websites and the like as easily accessible data.

I mean; in the very worst case the user could just open up your program, find the place where it logs in, and then add a 'print' statement to output the credentials it's using and there you go. There's no stopping that.

Good point.

I guess the only real danger was that, if someone that wasn't you got access to your computer, he'd be able to get your user and pass. But if someone who isn't you got access to your computer, he could do a lot worse than steal an account for a game.

[MPQC]

I don't think any other program really does this, and I can't really find a good answer for it. There's really no way to secure something in such a way that the program can figure out the credentials (which it needs in order to log in) while at the same not allowing a user who has access to that very same program which can figure out the credentials to do the same thing.

Even your browser just stores all of your passwords for websites and the like as easily accessible data.

I mean; in the very worst case the user could just open up your program, find the place where it logs in, and then add a 'print' statement to output the credentials it's using and there you go. There's no stopping that.

Good point.

I guess the only real danger was that, if someone that wasn't you got access to your computer, he'd be able to get your user and pass. But if someone who isn't you got access to your computer, he could do a lot worse than steal an account for a game.

It's generally considered game over if someone has access to your computer as far as security is concerned. There's some stuff that you can do to delay the person that would be trying to get access, but chances are you're not going to be stopping them.

First, 'security by obscurity', which in reality you should not depend on at all. You mentioned this in OP. I believe you can call c++ functions from luajit, so you could write your encrypt/decrypt in c++ and compile it down, so they can't directly view the source with notepad. But still, someone with enough time will get past this so again, all you're doing is slowing them down.

Next, to help avoid more damage to the user, never have their password in plaintext. Hash it, and store only the hash on their computer. This way, they may be able to login to your game, but they won't know the original password, so if the person used the same password on other services (ie email), they won't get that stolen from them. So not perfect, but a lot better than the user getting all his stuff stolen. There's some other benefits to this, for example if you require them to know the old password to change their password, they won't be able to do it. All they will be able to do is login.

In the end, if they have access to their computer, they lose, really.