_crypt_hashdata password in script

[MWIDNER21]

Hello all, I am trying to "hide" a password in a script. I used the _crypt_hashdata command and created a hash I can use. Once I did that I put that hash into an obscure file on a file share that is secured. I then will have my script call that file and read the line for the hash then use the rest of the script to "decode" the hash and input the password. My issue is I am unable to find a way to actually use the hash and "decrypt" it or use it to grant permissions to the script to run. I'm not sure if decrypt is the right way to put it, but I want to use the hidden password to execute a command as a different user in the script.

Thank you.

[mrider]

A "hash" is non-reversible.  The theory is that bytes of data are mathematically processed such that two different data sets are unlikely to produce the same result.  Even changing one bit will have a large effect on the result.  The theory is also that it is impossible - or at least very, very difficult - to go from the result of the algorithm back to the original bytes.

 

Using a hash for a password works like this:

When the user sets her password, the hash is generated and stored for later reference.

When the user tries to log in, she supplies her password.

The same hash algorithm is used to create a hash.

The stored hash is compared to the generated hash.  If they match the user supplied the same password.

 

 

Certainly you can encrypt the password so that it isn't stored in your program, but if you do so then you either need to embed the password for the encryption or ask the user for the encryption password.  (It's turtles all the way down). 

You are encountering the same problem the media giants are encountering with DRM.  You are trying to keep the end user from knowing the password while simultaneously allowing a user to access data/whatever that requires said password.  It (meaning a password) has to be somewhere.

Edited November 19, 2013 by mrider

[MWIDNER21]

So maybe hashing the passwod isn't the way to go? I just dont want the password in clear text in the source code.

[mrider]

I've never used encryption in AutoIt, so maybe someone that actually knows what they are doing will chime in.  However, in rough terms here's what I would do if forced.

* Write a throwaway script that derives a key from a passphrase.

* Extract the bytes from that key and record them in some way.

* Also use the throwaway script to encrypt the real password and store the result in your file.

* Embed the key as raw bytes in your real script.

* Reassemble the bytes inside your real script and use that reassembly as the key.

* Use the key to decrypt the data in your file which is stored separately.

You'll want to look at:

_Crypt_DeriveKey,

_Crypt_EncryptData (or file), and

_Crypt_DecryptData (or file)

Edited November 19, 2013 by mrider

[BrewManNH]

Use _Crypt_HashData to hash the first password, the one you want to compare against, store that in your script because it's at least as secure as it can be there. Then when a user enters their password, you use _Crypt_HashData to hash the entered password, do a very simple "if $storedhash = $enteredhash then" statement to compare the hash of the entered password against the stored password to see if they match or not. The collisions on the hashes are slight enough to make it fairly secure.