Store a Password

[arch0nmyc0n]

I need to store a password somewhere safe.

I've already encrypted it using the _crypt commands, but I need to find a safe place to store it. Where would you store a password if you wanted to protect it?

[Andreik]

In your brain it's the best place. If you think to write the password to a file, this one can be deleted or someone curious may think to try decrypt. Maybe if you give us a context, what's the purpose of this, we can help you more.

[Skitty]

Andreik is 99.98% right, almost as right as you can get, the 00.01% where he's wrong is the part about it being safe in your brain, I don't agree, even that's not safe enough, the best you can do is create an application that is smarter than you and can anticipate your actions and take action against the anticipated anticipation, say you attach a debugger, creating an application in this concept would be the best method, in theory, lets say you actually created such a script and attached a debugger to the application, well, your script anticipated these actions and had already created another hidden process and deleted the debugger application 3 seconds before you ran it.

In response to this, you would assume you have some kind of malware application on your system after that, but the script anticipated these thoughts and had submitted itself for a virus scan at virustotal prior to this and linked you to the page for the results and explained to you why it did what it did, you following me? Then you say, well, I'm going to run it on a fresh machine, so it doesn't know that I've messed with it before, this way I'll have the upper hand and fool the bastard and extract the password, you run the application and somehow it knew what you were up to and coldboots the system without even running, you need to develop a method to have it intercept a users brain waves and analyze them to detect particular patterns that would signify a users intention is to decompile your application, I think I saw a script here somewhere that interpreted brain waves somewhere, google it.

[Command3r]

ummm try this complex solution

- save it in an text file

- Crypt the text file "with pw"

- upload the text file to your e-mail

- save the download link in an text file

- crypt the text file "with another pw"

and this is all

[arch0nmyc0n]

I understand that storing a password on a system isn't a good idea, granted. However, if you were going to, where would you save it that you would consider to be the safest location?

I know it's like choosing between an open field or under a tree during a thunder storm but...

Context:

Personal script on my laptop for logging into several programs which takes time to do. Wrote it so I can wander off for 15 minutes and come back to everything logged in and ready. Currently stored in an INI file in the script directory. Was thinking trying a registry location but not sure where "safe" is in the registry. Was also thinking changing the permissions on the registry location to my user only.

Edited March 28, 2012 by arch0nmyc0n

[Skitty]

I understand that storing a password on a system isn't a good idea, granted. However, if you were going to, where would you save it that you would consider to be the safest location?

I know it's like choosing between an open field or under a tree during a thunder storm but...

Context:

Personal script on my laptop for logging into several programs which takes time to do. Wrote it so I can wander off for 15 minutes and come back to everything logged in and ready. Currently stored in an INI file in the script directory. Was thinking trying a registry location but not sure where "safe" is in the registry. Was also thinking changing the permissions on the registry location to my user only.

I don't really see why you even need to protect a password on your own machine, the probability that anyone you know who will use it will attempt to reverse engineer your script is probably 1 in 10¹⁰⁰ which I doubt will ever happen, else if your making some kind of application that will be used by thousands of different people around the world and the script so happens to do something that would warrant some kind of investigation into it's internal mechanics, than that number would be narrowed down to something very small, in which case it would be futile and you best take my advice above and create a script that can physically interact with a user outside of its little virtual environment and physically impair a user.

But if you're only using this on one machine and do not plan on using it on any other machine, than one good layer of protection that can be added would be to use the windows API function called cryptprotectdata which will encrypt the data for use on the machine in which it was initially encrypted on, rendering any attempt to steal your script and reverse engineer it on another computer nearly impossible and would require the reversing to happen on your machine.

[arch0nmyc0n]

Thank you for your reply

[Dana]

It's easy to hide things in the registry. Just poke around, see what's there (and unrelated), and make up a new key name that's unique and doesn't look anything like your program. Then store the password (encrypted or not, since nobody will ever think of looking there) in the new key. You won't hurt anything, since you're making up a new unique key name, and no other program will access the key.

Another way is to store it in a text (or other) file, but name it something inconspicuous for where you put it... for example, xyz.dll (even though it's not really a dll file) and put it in windowssystem32. Who would suspect any odd dll file there?

[arch0nmyc0n]

Hmm I suppose you are right, that'll probably suffice for what I'm doing. Thank you for your reply.

[Zedna]

Another way is to store it in a text (or other) file, but name it something inconspicuous for where you put it... for example, xyz.dll (even though it's not really a dll file) and put it in windowssystem32. Who would suspect any odd dll file there?

Weakness of this concept is that name of that "hidden/secret" file name/location is stored in sources of program that read this password.

So if somebody can get your program (EXE) and decompile its sources (AU3) then he know where to find password.

[stormbreaker]

This reminds me of something I did months back.

Firstly, converted password string to Hex, then reversed each byte (for eg. E0 to 0E, 45 to 54) and then added 1 to each modified value. Then I encrypted it and wrote the value at an empty sector specially reserved by my program folder. Since the password wasn't stored as file, but as raw data on Disk, so I had no problems back then.

[Andreik]

And how can be sure none will write this memory with something else?

[stormbreaker]

Oops. I forgot to mention that I had left a gap of 1 sector in between my installed files. In other words, I used this 2048 bytes space to save about 50 bytes info, and filled the remaining area with zeros. This single sector was associated with 2 files in NTFS/FAT file table, rendering the system unable to use that space untill both the files were deleted.

However, it does have drawbacks as we can easily find out the password using Disk-Editors.