Jump to content

Store a Password


Recommended Posts

Andreik is 99.98% right, almost as right as you can get, the 00.01% where he's wrong is the part about it being safe in your brain, I don't agree, even that's not safe enough, the best you can do is create an application that is smarter than you and can anticipate your actions and take action against the anticipated anticipation, say you attach a debugger, creating an application in this concept would be the best method, in theory, lets say you actually created such a script and attached a debugger to the application, well, your script anticipated these actions and had already created another hidden process and deleted the debugger application 3 seconds before you ran it.

In response to this, you would assume you have some kind of malware application on your system after that, but the script anticipated these thoughts and had submitted itself for a virus scan at virustotal prior to this and linked you to the page for the results and explained to you why it did what it did, you following me? Then you say, well, I'm going to run it on a fresh machine, so it doesn't know that I've messed with it before, this way I'll have the upper hand and fool the bastard and extract the password, you run the application and somehow it knew what you were up to and coldboots the system without even running, you need to develop a method to have it intercept a users brain waves and analyze them to detect particular patterns that would signify a users intention is to decompile your application, I think I saw a script here somewhere that interpreted brain waves somewhere, google it.

Link to comment
Share on other sites

ummm try this complex solution :bye:

- save it in an text file

- Crypt the text file "with pw"

- upload the text file to your e-mail

- save the download link in an text file

- crypt the text file "with another pw"

and this is all :oops:

[font="arial, helvetica, sans-serif;"]Advice for you[/font][font="arial, helvetica, sans-serif;"]: [/font][u]Search[/u] before posting.

 

[font="arial, helvetica, sans-serif;"] *********** Problem solved? if yes [/font][color=rgb(0,0,0);font-family:arial, helvetica, sans-serif;] *********[/color]

[font="arial, helvetica, sans-serif;"]******* press "Mark Solved" button. *******[/font]

Link to comment
Share on other sites

I understand that storing a password on a system isn't a good idea, granted. However, if you were going to, where would you save it that you would consider to be the safest location?

I know it's like choosing between an open field or under a tree during a thunder storm but...

Context:

Personal script on my laptop for logging into several programs which takes time to do. Wrote it so I can wander off for 15 minutes and come back to everything logged in and ready. Currently stored in an INI file in the script directory. Was thinking trying a registry location but not sure where "safe" is in the registry. Was also thinking changing the permissions on the registry location to my user only.

Edited by arch0nmyc0n
Link to comment
Share on other sites

I understand that storing a password on a system isn't a good idea, granted. However, if you were going to, where would you save it that you would consider to be the safest location?

I know it's like choosing between an open field or under a tree during a thunder storm but...

Context:

Personal script on my laptop for logging into several programs which takes time to do. Wrote it so I can wander off for 15 minutes and come back to everything logged in and ready. Currently stored in an INI file in the script directory. Was thinking trying a registry location but not sure where "safe" is in the registry. Was also thinking changing the permissions on the registry location to my user only.

I don't really see why you even need to protect a password on your own machine, the probability that anyone you know who will use it will attempt to reverse engineer your script is probably 1 in 10100 which I doubt will ever happen, else if your making some kind of application that will be used by thousands of different people around the world and the script so happens to do something that would warrant some kind of investigation into it's internal mechanics, than that number would be narrowed down to something very small, in which case it would be futile and you best take my advice above and create a script that can physically interact with a user outside of its little virtual environment and physically impair a user.

But if you're only using this on one machine and do not plan on using it on any other machine, than one good layer of protection that can be added would be to use the windows API function called cryptprotectdata which will encrypt the data for use on the machine in which it was initially encrypted on, rendering any attempt to steal your script and reverse engineer it on another computer nearly impossible and would require the reversing to happen on your machine.

Link to comment
Share on other sites

It's easy to hide things in the registry. Just poke around, see what's there (and unrelated), and make up a new key name that's unique and doesn't look anything like your program. Then store the password (encrypted or not, since nobody will ever think of looking there) in the new key. You won't hurt anything, since you're making up a new unique key name, and no other program will access the key.

Another way is to store it in a text (or other) file, but name it something inconspicuous for where you put it... for example, xyz.dll (even though it's not really a dll file) and put it in windowssystem32. Who would suspect any odd dll file there?

Link to comment
Share on other sites

Another way is to store it in a text (or other) file, but name it something inconspicuous for where you put it... for example, xyz.dll (even though it's not really a dll file) and put it in windowssystem32. Who would suspect any odd dll file there?

Weakness of this concept is that name of that "hidden/secret" file name/location is stored in sources of program that read this password.

So if somebody can get your program (EXE) and decompile its sources (AU3) then he know where to find password.

Link to comment
Share on other sites

:bye: This reminds me of something I did months back.

Firstly, converted password string to Hex, then reversed each byte (for eg. E0 to 0E, 45 to 54) and then added 1 to each modified value. Then I encrypted it and wrote the value at an empty sector specially reserved by my program folder. Since the password wasn't stored as file, but as raw data on Disk, so I had no problems back then. :oops:

----------------------------------------

:bye: Hey there, was I helpful?

----------------------------------------

My Current OS: Win8 PRO (64-bit); Current AutoIt Version: v3.3.8.1

Link to comment
Share on other sites

:oops: Oops. I forgot to mention that I had left a gap of 1 sector in between my installed files. In other words, I used this 2048 bytes space to save about 50 bytes info, and filled the remaining area with zeros. This single sector was associated with 2 files in NTFS/FAT file table, rendering the system unable to use that space untill both the files were deleted.

However, it does have drawbacks as we can easily find out the password using Disk-Editors.

----------------------------------------

:bye: Hey there, was I helpful?

----------------------------------------

My Current OS: Win8 PRO (64-bit); Current AutoIt Version: v3.3.8.1

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...