Obfuscation - and pesky strings

A friend of a friend asked

"When .NET code is compiled a program called Reflector can be used to decompile the binary file in to its original code. I understand there are tools called Obfuscators that will make the code harder to read, but it can still be decompiled and read in plain text. The problem with obfuscation is that any database username and passwords in the code are still readable as plain text. Is there anyway to stop this problem?"

This is a big old topic (the "do you really need to store the username and password in the code" is a good place to start) - but it also points out a common misconception about .NET code and obfuscation. Many folks assume that the free obfuscator we ship in the box 

1. Represents all that obfuscators are able to do and
2. There is no other approach than obfuscating

In reality

1. Many companies create more powerful obfuscators than the one we ship in the box - which include features such as string encryption (all string or selected strings)
2. Obfuscation is just one approach - you can also use techniques such as encrypting launchers and native code compilers.

A good place to start is the howtoguide from August 2005 which includes a great comparison table (As this is a few years old, do check the specifics of each tool at their site as things will have changed).

If anyone has a more recent comparison, please do share. Thanks.