Encrypting passwords in text file 
Author Message
 Encrypting passwords in text file

Quote:

> Am looking for a fairly simple but secure means to hide passwords in a
> text file (actually just use a __DATA__ block in the script).

Even ignoring the "simple" requirement, it's impossible.

After all, if your script contain enough information to extract the
passwords for it's own use, then the user, by seeing your script, has
enough information to use them for himself.

Instead, have a second file, just for the passwords, and set it's
permissions so that only "you" can read them.  Then, make your script
into a setuid script, or write a setuid C wrapper, so that it changes
it's own permissions to look like it's "you."

--

pack 'u', pack 'H*', 'ab5cf4021bafd28972030972b00a218eb9720000';



Thu, 27 Jan 2005 12:34:34 GMT  
 Encrypting passwords in text file
"However, IMO you might as well pretty much just leave the passwords in
the clear and rely on your host's existing file permissions scheme to
reduce the chance that someone will see the passwords."

You got to be kidding me to suggest that....................................



Fri, 25 Feb 2005 00:03:05 GMT  
 Encrypting passwords in text file
It does raise the interesting question, though: "how does one hide the
decryption
key?"  I'd bet most programmers keep the key in their source code or a
companion configuration file, which presents its own security risks.
The "safe" way to hide the key is to have the program ask the user to
enter it (either by typing on a keyboard or inserting a floppy, e.g.) when
the program starts up so the key resides only in memory, and not on disk
anywhere.  Any estimates of how many systems do that?
--
Read your most critical mail,
from your existing accounts,
on your existing cell phone,
pushed automatically by mHook.
http://www.mhook.com/


Quote:
> "However, IMO you might as well pretty much just leave the passwords in
> the clear and rely on your host's existing file permissions scheme to
> reduce the chance that someone will see the passwords."

> You got to be kidding me to suggest

that....................................


Sat, 26 Feb 2005 07:39:32 GMT  
 Encrypting passwords in text file

Quote:

> "However, IMO you might as well pretty much just leave the passwords in
> the clear and rely on your host's existing file permissions scheme to
> reduce the chance that someone will see the passwords."
> You got to be kidding me to suggest that....................................

Since you're commenting on a quote from me, I want to answer this. Did
you read the original article [0] and my reply to it?

The OP wanted to have a way of encrypting data so that a program could
automatically decrypt it but people couldn't. I pointed out that this
was impossible. The OP disagreed, so I've just left them to implement
their insecure "encryption" scheme.

Chris

[0] http://groups.google.com/groups?as_umsgid=Xns92626719C8796TweetiePooh...

until$s[$i];$c=$s[$i];print$c;undef$s[$i];$i=($i+(ord$c))%$l}



Sat, 26 Feb 2005 17:28:46 GMT  
 Encrypting passwords in text file


Quote:
> The OP wanted to have a way of encrypting data so that a program could
> automatically decrypt it but people couldn't. I pointed out that this
> was impossible. The OP disagreed, so I've just left them to implement
> their insecure "encryption" scheme.

> Chris

> [0]
> http://groups.google.com/groups?as_umsgid=Xns92626719C8796TweetiePooh...
> 2.253.162.105

Actually I DO agree.  The whole mechanism stinks but using a "simple"
encoding scheme to hide the password does help even if only a little.

Sure anyone can copy the file and play with it but those with access probably
know the secret anyway.  This just makes it a tad less obvious to "vistors"
looking over shoulder or to the non techy types who will end up using it but
who will also probably know the secret.

If I were to push the tool out I would hide this data better (and/or use a
better mechanism).



Mon, 07 Mar 2005 23:11:31 GMT  
 
 [ 5 post ] 

 Relevant Pages 

1. encrypting text with a password

2. FAQ: How do I decode encrypted password files?

3. FAQ: How do I decode encrypted password files?

4. FAQ: How do I decode encrypted password files?

5. FAQ: How do I decode encrypted password files?

6. FAQ: How do I decode encrypted password files?

7. making UNIX encrypted passwords

8. encrypt passwords?

9. How to encrypt password for .htpasswd????

10. Encrypt a password befoure save to disk!

11. encrypting passwords

12. DBI-Connect: encrypted passwords

 

 
Powered by phpBB® Forum Software