My application connects to an FTP server with a username and password. I can create an encryption routine to encrypt and decrypt the password, but anybody with access to the source code and the encrypted password can decrypt the password.
Is there an easy way to prevent every human being from knowing the entire password used by an application? (I think it’s okay if multiple people know part of the password.)
EDIT: I know FTP is not secure. Ideally, I’d like a technique that would work in any situation where a username and password are required (e.g. a database connection).
No. All an app user has to do is sniff their own network traffic (easy to do with Wireshark or such).
You really need a way to give each user a unique token of some sort.
Edit – more info:
Any system that relies on ‘secret’ login information that is the same for every copy of the application is flawed by design. In order to keep things secure, every install of your app must have a unique secret that it uses to authenticate with the server. How you accomplish that is dependent on how you license/distribute your app. Here is how I would do it. (Perform all communication over an SSL connection).
Alternate step 3 is: app submits info from step 2 and server sends back a hash signature of the info + salt. Hash signature is now your app’s key.
The important thing is that there is no ‘secret’ shared between all your users.