I had been using a string to store passwords in my program, when it dawned on my that people will be able to view the strings by opening the exe file in a hex editor and even if the passwords themselves are encrypted, presumably by another string, how can I prevent a hacker from guessing that a certain string encrypted by another certain string in the exe file is a certain password?

Thanks for your suggestions.

Passwords aren't usually encrypted. Instead, they're hashed so that the original string can't be (easily) reconstructed.
However,

how can I prevent a hacker from guessing that a certain string encrypted by another certain string in the exe file is a certain password?

How can you prevent someone from just taking your check_password() function call and changing it to a true value? The answer is: you can't. A sufficiently determined attacker can do anything he wants if he has access to your (source or binary) code.

A program cannot hide its own data. And no, the private keyword won't help. ;)

Well I'm certainly no hacker. But even I was smart enough to think about scanning the exe file for strings. I doubt I'll ever have the know how to recreate binary code or manipulate values of specific functions at run time however. So at least I'll be able to safeguard against a certain subset of the population. Folks like me. And trust me, we out number the true hackers by far.

But I was able to come up with a solution of sorts. I'm now assigning char * consts to global chars * assigned to the desired password within the scope of a setter function called before main(). I was thinking that I would have to start out each char * at a random value, and then increment each element the required # of times, but it turns out just having individual elements assigned a value prevents the string from being stored in the exe. At least so it seems. I did a scan of the exe and didn't find any occurrences..

Is there something I might be missing however?

+1 helios. Don't store the password in your exe. Hash it and keep the result in the exe instead.

Don't forget to pepper your code with strings like "password", "abc123", "rosebud", "pass", "Open Sesame", and "if you're reading this, then get out of my code"

Another vote for the hash approach (with a secure hash alg, rather than CRC32 or the like)

what about this: intuitively I'd agree with you that hashing sounds like a better idea, and if this code snippit didn't appear to work, I'd look further into it.



I scanned the exe for 'zzz' but it appears the implementation of the above code seems to suffice.
Is it worth it looking into to 'hashing' or could I just leave it as is, for the time being anyway.

If you're looking for a secure hash implementation, have a look at PGP
http://en.wikipedia.org/wiki/Pretty_Good_Privacy
http://www.openpgp.org/

If you're using Windows, you could use the CryptoAPI (e.g. CryptCreateHash/CryptHashData/...). There is also the "Cryptography API: Next Generation" for Window Vista and onwards; I have not used the new API so know nothing about it.

Instead of using a hash you could simply use XOR.
If the padding data is random, you'll get a one-time pad.
You'll have to precompute your passwords, obviously.

But like I said, a program cannot hide its own data. So if together with the encrypted passwords you also store the key (i.e. padding data) then it's all for nought (Edit: in which case a hash is indeed the best solution).