Jump to content
Sign in to follow this  
Guest

Security of passwords given to InputBox

Recommended Posts

Guest

I'd like to know if the arrangement I've created is giving me a false sense of security or if I've actually suceeded in creating a secure situation with my script.

I have written a script that starts a secure application. First up the script asks me via InputBox for my password. The entry of the password shows as asterisks, not the actual characters of the password.

The script then asks what time I want the application to launch. After I enter the launch time, the script sleeps, then runs the application at the specified time, sending the password.

I didn't want the password typed into my script code for use at launch time because then the password would be visible in plain text for anyone browsing my scripts on my hard drive. I did look briefly at the encryption suggestions on the AutoIt forum but quickly realized I was out of my depth and did not have the time to study enough to really understand the encryption methods.

So I figured the InputBox approach would allow a script to hold the password in RAM until application launch.

Is the password actually secure like this?
Or can it be retrived and read by someone who knows where to look? Say, in an event log for instance. I know such a thing exists for AutoIt but haven't figured out how to browse it.

If the password can be read, just how easy is it and how common is that knowledge?

Thanks in advance for your consideration of this issue,

Novarina


 

Share this post


Link to post
Share on other sites
FireFox

Hi,

Welcome to the autoit forum :)

With some skills on program memory, anyone can get the address where is stored the password.

I would use a simple encryption, then store this encrypted password and decrypt it at launch.

Take a look at the helpfile, there are examples and it should not be hard for you to understand how it works, really.

Br, Firefox.


 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites
jchd

Do you mean that a secure application accepts the password as a command-line parameter, really?

No script (whatever AutoIt or something else) and no program in general can be absolutely protected against abuse.

You can indeed encrypt the variable until use but all you're going to get is protection against kid sister and grand'ma, and a false feeling. Sorry for that.

Forum rules ban discussion about reverse-engineering so this is all I shall say.


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites
Guest

Thank you to FireFox, jchd, and jaberwocky6669 for your responses.

Jaberwocky - I've reviewed the post you linked to. You are right. This other person was trying to do exactly what I am.  I didn't find that post when I searched.  I never would have seen it without you pointing it out. I like the idea of storing something in the registry. Didn't know you could do that.

jchd - I don't think I understand your question. When I said secure, I meant that a login and password are required. It never occurred to me that my software would reject info sent to it by AutoIt. But actual practice shows that it does accept info sent by AutoIt. I don't understand why encryption is not good protection. I thought encryption was how many different things are made secure and that they are secure once encrypted.  I have heard that any encryption can be broken with enough computing power but that at some point the anticipated gain is not worth the anticipated effort and the hacker looks elsewhere.  I believe my data would appear to be not worth the effort of hacking.

FireFox - I have now read the helpfiles on the crypt functions.  I'm afraid the help files are not very helpful.  You need to already understand how encryption works and should be set up before you can make use of the help files.  I have now done some reading about encryption generally. 

Having read the linked post and the help files and some general reading on encryption this is the gist I have gotten. Please correct anything I have misunderstood.

Using the crypt function will require me to specify an encryption key, and near as I can tell this key is itself a password or requires one to be specified.  The key is used during the encrypt and decrypt functions so the key must remain available to the AutoIt script after it is used to encrypt, else the decryption will not succeed.  Just like the unencrypted login password would remain in memory (and therefore accessible to a knowledgeable thief), the encryption key will be in memory if I use InputBox to enter the key or will be in plain text in my script if I specify the key in the code of my script. This does not sound more secure than an unencrypted login password stored in memory.

Perhaps this is the reason behind jchd's statement that any encryption of the login password will only provide protection against 'grandma' and a false feeling of security.  It seems that encryption, in this situation, would slow down a thief but not stop them.  The situation being that somewhere somehow I have to give the computer a password/key that it can use to encrypt/decrypt and it has to store that key somewhere because I will not be there to provide the key at the moment of decryption.

Another choice would be to use the crypt derive/destroy key functions, but even those functions require passwords. Same problem as above.

An alternative impression I got was that an encryption algorithm could be used without a key to encrypt something, but then anyone who can identify the encryption algorithm (which would be specified in plain text in my code) would be able to run the algorithm and decrypt my login password. 

Am I understanding this right?

One final issue. As I understand it, if my computer (desktop, no battery) is unplugged, anything stored in RAM is obliterated. If someone walked away with my CPU, even a knowledgeable thief could not get anything that was stored in memory.  Is this so?

Share this post


Link to post
Share on other sites
jchd

You draw a good picture yourself of the circular reasonning behind the good that encrypting credentials would give.

In other terms, you have a secret and you put it in a safe. Good, the secret is hidden, but now you have a key to hide.

You can still do something: run your script, enter the credentials as you do currently, start your countdown and change the session to a non-admin account (without closing the previous session) then enter standby. Unless Eve (an evedropper) can't bruteforce passwords to both sessions, you're relatively safe (as much as Windows is). Of course, both sessions need login to wake up and change user. If you're on a network, remote attack is possible but again will need cracking the session password.

Whatever is stored in memory can get swapped to disk at any time so even if the plug is pulled your secret is not definitely protected. But the odds are low that Eve would try that. She would more likely install a keyboard bug or a troyan or otherwise compromise the machine you use.


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites
Chimp

In this regard, I wonder how works a mechanism implemented by IE.
if you open the windows "internet options" of internet explorer
from IE tools --> options -->  protection --> custom level -->
you find in the list a voice that says: user autentication - user autentication with current username and password.

if this option is flagged, and you navigate to a site that requires your user name and password, those are "sent" automatically (??) without the need to type it.
well, do someone knows how this technically works?, and if this mechanism could be used by autoit programs to recognize (and authenticate) the user that is running that program?
thanks


small minds discuss people average minds discuss events great minds discuss ideas.... and use AutoIt....

Share this post


Link to post
Share on other sites
Guest

jchd,

Thanks for your input. You've cleared up a lot for me. I have run into a small problem in the course of these experiments. I created and wrote a key to the registry using AutoIt functions. I went to delete that key and found that I cant delete it. I checked the permissions on the key and gave myself full control, even though as an administrator I should have been granted full permission. Still cant delete the key. Then I ran my autoit script again and now I find I cant overwrite with new data. And I tried using the RegDelete funciton via an autoit script but that doesnt work either.

I was able to create the key, I should be able to edit or delete the key.

What is going on?  How do I delete this key?

Share this post


Link to post
Share on other sites
jchd

Maybe a jet torch applied at the right place?

Seriously, I don't know, but where exactly did you write it in the registry? Sometimes permissions, or rather prohibitions, in Windows are getting me on nerves.


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites
Guest

jchd,

I wrote it into a new folder in HKLMSystemWPA.  I had previously created keys in a new folder in that WPA folder and had been able to delete them.

I'm stumped.

Share this post


Link to post
Share on other sites
jchd

Ha! WPA is ... well, special. You would say "Most of Windows is", but Google HKLMSystemWPA to get why ;)


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites
Guest

alas.  it appears I'm stuck with that key until I'm ready to try some of those solutions on it. Thanks for the info. And thanks for all your help.  I'm marking this one solved. :bye:

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×