Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How can I encrypt a password inside a VBscript

Posted on 2009-12-17
5
Medium Priority
?
7,056 Views
Last Modified: 2012-06-21
I need to include a password as part of a VBscript. I need a method of encrypting this password so it cannot be read. I have uses the Microsoft tool (screnc.exe) to change a vbs to a vbe, for encrypting a script, but that method is very easy to hack into. Does anyone have an idea for how to include a password in a script and keep it secret from some fairly sophisticated prying eyes.

Thanks,
bart
0
Comment
Question by:bartteems
5 Comments
 
LVL 6

Accepted Solution

by:
oferam earned 2000 total points
ID: 26074681
It's a chicken and the egg problem. So the best you can do is rely on Obscurity:

Encrypt the password in a text file.
Your script will read that text file and decrypt the password.
The password (clear text) won't be written any where, but than again the "key" to the encryption that can be used to fetch the password is out there in the clear...

You can use custom ActiveX functions to encrypt the password. Examples are here:
http://www.example-code.com/vbscript/encryption.asp

Good luck!
0
 
LVL 3

Expert Comment

by:roeib
ID: 26074719
well as said this is a chicken and egg scenario,

i can recommend you to use  "StringConverter.exe " 

you can download it from here:

http://www.computerperformance.co.uk/ezine/tools.htm#StringConverter.exe

The syntax of stringconverter is: stringconverter \"NewPassword\" /encode /unicode

To make it easier to manipulate the encrypted password, 'pipe' the output to a text file, now you can copy the encrypted password into your data file.

   1. Type: stringconverter \"NewPassword\" /encode /unicode  > cryptic.txt
   2. Type: Notepad cryptic.txt, this reveals the encrypted word IgBOAGUAdwBQAGEAcwBzAHcAbwByAGQAIgA=

another option is displayed here:

http://www.example-code.com/vbscript/encryption.asp

this has multiple options for vbscript encryption

hope this helps
   3. Substitute that on the theUnicodePwd:: line of your .ldp file.
0
 
LVL 10

Expert Comment

by:tdlewis
ID: 26075553
Note: StringConverter does not encrypt the password. It BASE 64 encodes it.

http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx reveals the encoded password.

Both oferam and roeib provided links to http://www.example-code.com/vbscript/encryption.asp

Some of the functions described on that page will encrypt a string (for example, the "AES String Encryption" example). When you use a symmetric algorithm such as AES, the encryption key will must be shared between the system that is encrypting the string and the system that is decrypting the string. Based on your description, it sounds like you want the encrypted string and the decryption key to both appear within your script. If that's the case, no amount of obfuscation will "keep it secret from some fairly sophisticated prying eyes."

Nevertheless, the best obfuscation that I can recommend is to split the key so that it appears in multiple places. For a description of key splitting, see http://en.wikipedia.org/wiki/Key_distribution

So, for example, if you split your key into four parts and stored each part in a separate constant strings within your script, it will be harder for those "sophisticated prying eyes" to find your decryption key, but a dedicated hacker will eventually find it.
0
 
LVL 6

Expert Comment

by:oferam
ID: 26075969
An easier method would be to use commercial product. I know this one: http://www.cyber-ark.com/identity-access-management-solutions/application-password-management.asp I think there are others that does the same idea.

They give you API to access your password, and they keep your password encrypted and monitor who is accessing it, from which IP, when, etc...
0
 

Author Comment

by:bartteems
ID: 26170833
YEs, I think task is impossible. Even though these solutions will work, they still rely on obscurity. The people that I am trying to protect from would see through this immediately. Thanks anyway for the efforts
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question