0% found this document useful (0 votes)
13 views3 pages

VB6 Password Security

Storing usernames and passwords as plain strings in a VB6 application poses a security risk due to potential memory dumps. Recommended solutions include using Byte arrays for secure strings, encrypting passwords before storage, utilizing secure API calls for memory management, avoiding global variables for credentials, employing hashing for verification, and leveraging a secure credential store like Windows Credential Manager. Implementing these strategies can significantly reduce the risk of password exposure in memory dumps.

Uploaded by

bookpdf092
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
13 views3 pages

VB6 Password Security

Storing usernames and passwords as plain strings in a VB6 application poses a security risk due to potential memory dumps. Recommended solutions include using Byte arrays for secure strings, encrypting passwords before storage, utilizing secure API calls for memory management, avoiding global variables for credentials, employing hashing for verification, and leveraging a secure credential store like Windows Credential Manager. Implementing these strategies can significantly reduce the risk of password exposure in memory dumps.

Uploaded by

bookpdf092
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Fixing Username and Password Stored in Memory String in VB6 Application

Storing usernames and passwords in memory as plain strings in a VB6 application is a security risk
because memory can be dumped and analyzed by an attacker. To fix this issue, follow these
approaches:

1. Use Secure Strings (Alternative Approach)


- VB6 does not have built-in secure string handling like modern languages.
- Instead of using String, use Byte() arrays and overwrite them when done.

Dim password() As Byte


password = StrConv("MySecretPassword", vbFromUnicode)

' Use the password (e.g., hashing, encryption, authentication)

' Overwrite password in memory


For i = LBound(password) To UBound(password)
password(i) = 0
Next

2. Encrypt Before Storing


- Never store the password in plaintext.
- Use an encryption algorithm like RC4 or AES (via API calls or external libraries).

Example using simple XOR encryption:

Function EncryptDecrypt(ByVal InputStr As String, ByVal Key As String) As String


Dim i As Integer
Dim Result As String
Result = InputStr
For i = 1 To Len(InputStr)
Mid(Result, i, 1) = Chr(Asc(Mid(InputStr, i, 1)) Xor Asc(Mid(Key, (i Mod Len(Key)) + 1, 1)))
Next i
EncryptDecrypt = Result
End Function

Always clear the variable after use:

password = EncryptDecrypt(password, "MyKey")

3. Use Secure API Calls (Windows API)


- Windows provides CryptProtectMemory for encryption of sensitive data.

Example:

Private Declare Function RtlSecureZeroMemory Lib "kernel32" (ByRef ptr As Any, ByVal cnt As
Long) As Long

Sub SecureErase(ByRef password As String)


RtlSecureZeroMemory ByVal password, Len(password)
End Sub

This ensures the password is wiped from memory after use.

4. Avoid Storing Passwords in Global Variables


- Store credentials only as long as necessary.
- Use session tokens instead of keeping passwords in memory.

5. Hashing Instead of Storing Passwords


- If verifying passwords, use hashing (e.g., MD5, SHA-1, SHA-256 via external DLLs or APIs).

Example using an external API:

Private Declare Function MD5Hash Lib "advapi32.dll" (ByVal strData As String) As String

6. Use a Secure Credential Store


- Windows Credential Manager can be used via API calls to securely store credentials.

By following these steps, you reduce the risk of password exposure in memory dumps.

You might also like