Suggestions to hide plaintext password in net/smtp

[vincen...@gmail.com]

Hi

I am new to Go and I have a go program to send email   similar to https://golang.org/pkg/net/smtp/#example_SendMail below:

func main() {

// Set up authentication information.

auth := smtp.PlainAuth("", "us...@example.com", "password", "example.com") //<====plaintext password here

// Connect to the server, authenticate, set the sender and recipient,

// and send the email all in one step.

to := []string{"reci...@example.net"}

msg := []byte("To: reci...@example.net\r\n" +

"Subject: discount Gophers!\r\n" +

"\r\n" +

"This is the email body.\r\n")

err := smtp.SendMail("mail.example.com:587", auth, "us...@example.com", to, msg)

if err != nil {

log.Fatal(err)

}

}

this go  program runs on a little PC that could be shipped to users, and the little PC would be beyond my control. I read through the Internet and pretty much everyone  says it is bad idea to put plaintext password in applications even in compiled binary. this link  http://manoharvanga.com/hackme/ "Deconstructing an ELF file" even describe details on how to reverse engineering the binary and reveal the password.

so if storing plaintext password in compiled go binary is bad idea, is there anyway to go around in my go net/smtp scenario ? I looked bcrypt but not sure how to apply bcrypt in this situation, storing hashed password in the program? any suggestions is welcome! thanks! 

Note I don't need military grade security, but secure enough to defer the most attempt to steal the email password

Thanks

Vincent

[a...@kew.com]

I am startled to see someone asking how to embed passwords in a binary a week after the DDoS attack on Dyn (https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/). While that used exposed passwords for the client, you should learn from it.

Ignoring Go for a moment:

1. Don't store credentials in a binary.  Use a secure configuration file (for example, on Mac OS X use the key chain) 
   
2. Don't have multiple users use the same user id or password.

I have doubts that you want to be using SMTP at all; using an authenticated HTTP server which accepts specific data that can be validated (which then sends an email if that's what's really needed) is probably more secure.

-ahd-

[Egon]

tl;dr; there is no secure way to embed a password inside an executable.

It depends what do you want to keep protected or why do you need to hide the password in the first place? What is the purpose of the program?

If you just need to protect the email account, set up a server that accepts a https+POST request and sends the email. That computer would be under your control and you can store the password there.

+ Egon