best way to encrypt passwords in cmd files?

[scavenger]

hi

i am saving passwords in cmd files that i replay based on their names. these files have other variables setup than just passwords:

Code: Select all

var1=xyz
var2=xyz
password=P@ssw0rd

what is the best way to encrypt or obfuscate the passwords?
certutil.exe would encrypt the whole file and I don't want that.

I played around with powershell and got this proof of concept for encryption:

Code: Select all

set pass=P@ssw0rd
call set "gg=powershell -executionPolicy bypass -Command $SecureString = ConvertTo-SecureString "%pass%" -AsPlainText -Force; ConvertFrom-SecureString -SecureString $SecureString;"
call %gg%
--- prints out the secure string ----

unfortunately i can only spit out strings, i cannot dynamically set a password variable with it's output: a temporary file is needed, with a classic for loop to set a variable.

• could this be done without the use of temporary file?
• Is there a faster or a better practice commonly used by you guys?

[aGerman]

Password encryption in Batch is rather useless. So at least I don't do that at all, I don't think there is something like a "best way", and you better don't rely on things like that.

However, if you want to use PowerShell try it that way:

Code: Select all

@echo off &setlocal
set "password=P@ssw0rd"

setlocal EnableDelayedExpansion
for /f %%i in (
 'powershell -nop -ep bypass -c "ConvertFrom-SecureString -SecureString (ConvertTo-SecureString '!password:'=''!' -AsPlainText -Force)"'
) do endlocal &set "encrypted=%%i"

echo %encrypted%

for /f "delims=" %%i in (
 'powershell -nop -ep bypass -c "[System.Net.NetworkCredential]::new('', (ConvertTo-SecureString -String '%encrypted%')).Password"'
) do set "decrypted=%%i"


echo %decrypted%
pause

Steffen

[DQ2000]

Code: Select all

Encriptador:
@echo off
set /p palabra=Ingrese la palabra a cifrar:
set var=%palabra%
set resultado1=%var:a=1%
set resultado2=%resultado1:b=-%
set resultado3=%resultado2:c=.%
set resultado4=%resultado3:d=\%
set resultado5=%resultado4:e=$%
set resultado6=%resultado5:f=;%
set resultado7=%resultado6:g=?%
set resultado8=%resultado7:h=[%
set resultado9=%resultado8:i=+%
set resultado10=%resultado9:j=)%
set resultado11=%resultado10:k=]%
set resultado12=%resultado11:l=!%
set resultado13=%resultado12:m=(%
set resultado14=%resultado13:n=@%
set resultado15=%resultado14:ñ=¿%
set resultado16=%resultado15:o=,%
set resultado17=%resultado16:p=4%
set resultado18=%resultado17:q=/%
set resultado19=%resultado18:r=_%
set resultado20=%resultado19:s={%
set resultado21=%resultado20:t=#%
set resultado22=%resultado21:u=¡%
set resultado23=%resultado22:v=}%
set resultado24=%resultado23:w=:%
set resultado25=%resultado24:x=2%
set resultado26=%resultado25:y=6%
set resultado27=%resultado26:z=9%
echo %resultado27%
pause > nul
exit

Code: Select all

Desencriptador:
@echo off
set /p palabra=Ingrese la palabra a cifrar:
set var=%palabra%
set resultado1=%var:1=a%
set resultado2=%resultado1:-=b%
set resultado3=%resultado2:.=c%
set resultado4=%resultado3:\=d%
set resultado5=%resultado4:$=e%
set resultado6=%resultado5:;=f%
set resultado7=%resultado6:?=g%
set resultado8=%resultado7:[=h%
set resultado9=%resultado8:+=i%
set resultado10=%resultado9:)=j%
set resultado11=%resultado10:]=k%
set resultado12=%resultado11:!=l%
set resultado13=%resultado12:(=m%
set resultado14=%resultado13:@=n%
set resultado15=%resultado14:¿=ñ%
set resultado16=%resultado15:,=o%
set resultado17=%resultado16:4=p%
set resultado18=%resultado17:/=q%
set resultado19=%resultado18:_=r%
set resultado20=%resultado19:{=s%
set resultado21=%resultado20:#=t%
set resultado22=%resultado21:¡=u%
set resultado23=%resultado22:}=v%
set resultado24=%resultado23::=w%
set resultado25=%resultado24:2=x%
set resultado26=%resultado25:6=y%
set resultado27=%resultado26:9=z%
echo %resultado27%
pause > nul
exit

[scavenger]

Classic caesar cipher revisited lol I like that.

"Better stay away from batch for password encryption" thanks but that doesn't help.

you are certainly right but it's never my call when it comes to security, and I need to hide passwords somehow.

[DQ2000]

And what did you expect us to eat you?
you have to learn something always if we give it to you all of us never learn anything.

[pieh-ejdsch]

Maybe you shouldn't call the variable password.
More like count files or something.
Give the password file restricted / explicit user rights.

[penpen]

The "best way..." you are asking for most probably depends on what you want to achieve with your batch file.
So, why do you want to store passwords in batch?
Do you want to create a password-safe (~= collection of passwords enrypted),
do you want to create some kind of registration,
or a login-script or a login-frontend for another program, ... .

Some tasks might be accomplishable in a (hybrid batch/)powershell program, for example a password-safe;
this could be done using RSA (see https://social.technet.microsoft.com/wi ... errsa.aspx), if you are using a single (securely safed) decryption batch, then you could encrypt (and salt) all passwords in pretty secure way with a second encryption batch.


penpen

[scavenger]

Maybe you shouldn't call the variable password.
More like count files or something.
Give the password file restricted / explicit user rights.

very good idea!!!!

[scavenger]

the password needs to be stored in a file somehow. my issue is with characters like "^" which is used as escape character.
reading it with a for loop works but then, echo %pw% will not show the "^" but echo "%pw%" will, however that causes issues when i pass the password to an msi installer

whatever, let's close this subject. have a great week

[penpen]

If that#s your only issue, then you could do that (if i don't error) by using delayed expansion when usefull and not using it when harmfull; example:

Code: Select all

@echo off
setlocal enableExtensions disableDelayedExpansion

set "line="
for /f "usebackq tokens=* delims=" %%a in ("%~f0") do (
	set "line=%%~a"
	setlocal enableDelayedExpansion
	echo(!line!
	endlocal
)
goto :eof

sample password : \ ; , & | ^ ! %

Sidenote: When asking for help, you should consider mentioning your issues before you close your topic.

penpen