Encryption Level on AutoIT

[JLAMERTON]

I am trying to script installations of software. As part of this i need to have usernames and passwords stored within the AutoIT code to pass to the application.

However the security restrictions in place means that any passwords stored must be subject to AES 128 encryption.

Obviously i could look at throwing up a prompt requesting a password and encrppt this using _StringEncrypt() however i am trying to avoid any prompts at all.

1. Encypt the Exe or code within it to meet the requirements?

2. My other thought is that i store the usernames and passwords on a SQL database and then have a lookup onto that database to get the required information and pump it into the code.

With Option 2 has anybody have an example of this, would it be a case of having a lookup that sets 2 variables for the username and password? Is it possible to use variables to pump input into boxes within the script?

Thanks

[Prab]

1. You can encrypt the main password with another password using _StringEncrypt(). To do this you need the second password and the encrypted password to be in the script, so a determined hacker could figure both out eventually. Also note, I believe that _StringEncrypt() uses RC4, but you can find UDF at http://www.autoitscript.com/forum/index.php?showtopic=78745 that lets you use AES.

2. How would you authenticate with the DB? If you need to use a password, it would have to be in the script and then you are back to problem 1. On the other hand, this would allow you to do logging, so you would know which computers are accessing the DB.

What do you mean by pump input into boxes? - I think you mean to use some password as the default text. If so, yes this is possible. Just look up inputBox() in the help file.

[Jos]

I am trying to script installations of software. As part of this i need to have usernames and passwords stored within the AutoIT code to pass to the application.

However the security restrictions in place means that any passwords stored must be subject to AES 128 encryption.

Obviously i could look at throwing up a prompt requesting a password and encrppt this using _StringEncrypt() however i am trying to avoid any prompts at all.

1. Encypt the Exe or code within it to meet the requirements?

2. My other thought is that i store the usernames and passwords on a SQL database and then have a lookup onto that database to get the required information and pump it into the code.

With Option 2 has anybody have an example of this, would it be a case of having a lookup that sets 2 variables for the username and password? Is it possible to use variables to pump input into boxes within the script?

Thanks

I cannot see how you can make this really safe.

The password needs to be decrypted whatever you do and passed onto the application.... right?

Jos

[JLAMERTON]

Yes i know it would not be secure completely however its mainly to stop people taking copies of EXE's and scripts off site that have unencrypted passwords!

I think sounds like a SQL lookup would be the way to go.. The way we are running the scripts is from a central server so can run it as an account that has permissions onto the DB.

Has anyone got some sample code that does a SQL lookup using NTLM? I am thinking would work like this (apologies not used autoit to do this kind of thing before)

Connect to SQL using NTLM

Lookup Column * Row *

Put Value A into Username variable

Put Value B into Password Variable

Thanks for the help again