We’ve examined two different ways that enable you to locate the password verification component of a program. Once there, we discussed a couple of ways you can test to see whether the validation routine can be virtually "picked." In addition, if the program decrypts the password before validating it, you can use these techniques to view the plain text password in the device’s memory. Finally, even if the password is properly protected, it may still be possible to extract or reuse the encryption components of the software to crack the password.
The point of all this was to illustrate the dangers inherent in blindly trusting software to protect your data, and to prove that weak passwords can become the Achilles heel for even the best program. As we’ve demonstrated, it’s very easy for developers to hide behind a technical wall of obfuscation that most people don’t know how to penetrate. The end result is that software could be leaving many people exposed—with no one the wiser until it’s too late.