HI Folks -
There are a few processes I run that I would like to hide the username and passwords.
How have you handled this in your environments? Is there a way to make a hidden folder that can be referenced? Granted, anyone with an elevated scripting background could crack these easily, but that's not the case here. I dont need to worry about that. I"m just doing it for compliance purposes.
Are there any worthy utilities out there to do this?
Any suggestions are greatly appreciated, thanks!
Encrypt username / password?
Moderator: DosItHelp
Re: Encyrpt username / password?
Been talked about plenty of times on the forum.
http://lmgtfy.com/?q=encrypt+password+s ... ostips.com
http://lmgtfy.com/?q=encrypt+password+s ... ostips.com
Re: Encyrpt username / password?
For storing passwords you could encrypt them
viewtopic.php?t=5048
viewtopic.php?f=3&t=5566
Of course this doesn't mean someone can't edit the batch file to bypass this.
For making a hidden folder I would recommend taking the file you want to hide and copy /b it into %tmp%/%random%.tmp
This will blend in with other temp files.
viewtopic.php?t=5048
viewtopic.php?f=3&t=5566
Of course this doesn't mean someone can't edit the batch file to bypass this.
For making a hidden folder I would recommend taking the file you want to hide and copy /b it into %tmp%/%random%.tmp
This will blend in with other temp files.
-
- Expert
- Posts: 1166
- Joined: 06 Sep 2013 21:28
- Location: Virginia, United States
Re: Encyrpt username / password?
Do NOT encrypt passwords, even in hidden files, especially when the implementation is stored in plaintext. Hash them (and salt them, of course) and store the hashes (and salts) instead. Because hashing is a one-way function (it can't be easily reversed), you can safely* store this information anywhere, provided you're using a strong hash.
* - Obviously, anybody who actually looks at the code will know how you generated the hash, be able to create their own login using that generation process, and simply append it to the data file, but it's a good start.
Code: Select all
@echo off
setlocal enabledelayedexpansion
cls
echo [R]egister new user
echo [L]og in with existing user
choice /C:RL /N >nul
if %errorlevel% equ 1 goto :register
if %errorlevel% equ 2 goto :login
exit /b
::------------------------------------------------------------------------------
:: Registers a user with an encrypted password.
::
:: Arguments: None
::------------------------------------------------------------------------------
:register
cls
set /p "register_user_name=Desired Username: "
if not exist accounts.txt echo(1>accounts.txt
findstr /c:"!register_user_name!" accounts.txt 1>nul 2>&1 && (
echo That user already has an account on this host. Exiting.
pause
exit /b
)
:setPassword
call :getPassword first_password "Desired Password: "
call :getPassword verify_password "Re-enter Password: "
if not "%first_password%"=="%verify_password%" (
echo Passwords do not match. Please enter them again.
echo/
goto setPassword
) else (
call :getSHA512 "!date!!time!" salt
call :getSHA512 "!salt!!first_password!" passhash
)
>>accounts.txt echo %register_user_name% !salt! !passhash!
exit /b
::------------------------------------------------------------------------------
:: Logs in with a username and password
::
:: Arguments: None
::------------------------------------------------------------------------------
:login
cls
set /p "login_user_name=Username: "
call :getPassword given_pass "Password: "
findstr /c:"!login_user_name!" accounts.txt 1>nul 2>&1 || (
echo Invalid username or password. Exiting.
pause
exit /b
)
for /f "tokens=1-3" %%A in ('findstr /c:"!login_user_name!" accounts.txt 2^>nul') do (
set "stored_salt=%%B"
set "stored_hash=%%C"
)
call :getSHA512 "!stored_salt!!given_pass!" givenpasshash
if not !givenpasshash!==!stored_hash! (
echo Invalid username or password. Exiting.
) else (
echo Login successful.
)
pause
exit /b
::------------------------------------------------------------------------------
:: Returns the SHA512 value of a string that has been echoed to a text file.
::
:: Arguments: %1 - the string to encode
:: %2 - the SHA512 value of %1
::------------------------------------------------------------------------------
:getSHA512
>shafile echo %~1
for /f "delims=" %%A in ('certutil -hashfile shafile SHA512 ^| find /v "hash"') do (
set line=%%A
set linehash=!line: =!
)
del shafile
set "%~2=!linehash!"
set "linehash="
goto :eof
::------------------------------------------------------------------------------
:: Hides user input and returns the input as a variable.
:: http://www.dostips.com/forum/viewtopic.php?p=33538#p33538 (and other places)
::
:: Arguments: %1 - the variable to store the password in
:: %2 - the prompt to display when receiving input
::------------------------------------------------------------------------------
:getPassword
set "_password="
:: We need a backspace to handle character removal
for /f %%a in ('"prompt;$H&for %%b in (0) do rem"') do set "BS=%%a"
:: Prompt the user
set /p "=%~2" <nul
:keyLoop
:: Retrieve a keypress
set "key="
for /f "delims=" %%a in ('xcopy /l /w "%~f0" "%~f0" 2^>nul') do if not defined key set "key=%%a"
set "key=%key:~-1%"
:: If No keypress (enter), then exit
:: If backspace, remove character from password and console
:: Otherwise, add a character to password and go ask for next one
if defined key (
if "%key%"=="%BS%" (
if defined _password (
set "_password=%_password:~0,-1%"
)
) else (
set "_password=%_password%%key%"
set /p "="<nul
)
goto :keyLoop
)
echo/
:: Return password to caller
set "%~1=%_password%"
goto :eof
* - Obviously, anybody who actually looks at the code will know how you generated the hash, be able to create their own login using that generation process, and simply append it to the data file, but it's a good start.
Re: Encyrpt username / password?
Exploring a few of these options, thank you all!