keep the password while reading encrypted file in C/C++ program

Question

I need to open and read an encrypted file in a C++ program. Do I need to keep the password in the program? Are the user able to get the password when the program is disassembled?

What's the best way to keep the user away from the password?

Answer 1

If you just put the password hard coded then, yes. With some dissassembly it is easy to get the password (you don't even need to dissassemble fully, only get the strings). You can try to obfuscate the password somehow, such as computing a hash of something that creates the password (this is very simplistic). In the end if you give someone an encrypted file and a program that opens that file you can't really hide that information from them.

Answer 2

Another simplistic solution (provides very basic security only - may be succeptible to hacker attack )

1. Create your password file in a directory on which users have no permission.
2. Provide users only execute permissions to the executable but use setuid so that they can run the executable as you.
3. In the exe read the password from the file kept in a directory that only you have permission to. (created in step 1).