• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7802
  • Last Modified:

How can I encrypt a password inside a VBscript

I need to include a password as part of a VBscript. I need a method of encrypting this password so it cannot be read. I have uses the Microsoft tool (screnc.exe) to change a vbs to a vbe, for encrypting a script, but that method is very easy to hack into. Does anyone have an idea for how to include a password in a script and keep it secret from some fairly sophisticated prying eyes.

Thanks,
bart
0
bartteems
Asked:
bartteems
1 Solution
 
oferamCommented:
It's a chicken and the egg problem. So the best you can do is rely on Obscurity:

Encrypt the password in a text file.
Your script will read that text file and decrypt the password.
The password (clear text) won't be written any where, but than again the "key" to the encryption that can be used to fetch the password is out there in the clear...

You can use custom ActiveX functions to encrypt the password. Examples are here:
http://www.example-code.com/vbscript/encryption.asp

Good luck!
0
 
roeibCommented:
well as said this is a chicken and egg scenario,

i can recommend you to use  "StringConverter.exe " 

you can download it from here:

http://www.computerperformance.co.uk/ezine/tools.htm#StringConverter.exe

The syntax of stringconverter is: stringconverter \"NewPassword\" /encode /unicode

To make it easier to manipulate the encrypted password, 'pipe' the output to a text file, now you can copy the encrypted password into your data file.

   1. Type: stringconverter \"NewPassword\" /encode /unicode  > cryptic.txt
   2. Type: Notepad cryptic.txt, this reveals the encrypted word IgBOAGUAdwBQAGEAcwBzAHcAbwByAGQAIgA=

another option is displayed here:

http://www.example-code.com/vbscript/encryption.asp

this has multiple options for vbscript encryption

hope this helps
   3. Substitute that on the theUnicodePwd:: line of your .ldp file.
0
 
tdlewisCommented:
Note: StringConverter does not encrypt the password. It BASE 64 encodes it.

http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx reveals the encoded password.

Both oferam and roeib provided links to http://www.example-code.com/vbscript/encryption.asp

Some of the functions described on that page will encrypt a string (for example, the "AES String Encryption" example). When you use a symmetric algorithm such as AES, the encryption key will must be shared between the system that is encrypting the string and the system that is decrypting the string. Based on your description, it sounds like you want the encrypted string and the decryption key to both appear within your script. If that's the case, no amount of obfuscation will "keep it secret from some fairly sophisticated prying eyes."

Nevertheless, the best obfuscation that I can recommend is to split the key so that it appears in multiple places. For a description of key splitting, see http://en.wikipedia.org/wiki/Key_distribution

So, for example, if you split your key into four parts and stored each part in a separate constant strings within your script, it will be harder for those "sophisticated prying eyes" to find your decryption key, but a dedicated hacker will eventually find it.
0
 
oferamCommented:
An easier method would be to use commercial product. I know this one: http://www.cyber-ark.com/identity-access-management-solutions/application-password-management.asp I think there are others that does the same idea.

They give you API to access your password, and they keep your password encrypted and monitor who is accessing it, from which IP, when, etc...
0
 
bartteemsAuthor Commented:
YEs, I think task is impossible. Even though these solutions will work, they still rely on obscurity. The people that I am trying to protect from would see through this immediately. Thanks anyway for the efforts
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now