Variable security inside a running script

[grant]

I make use of this email from a gmail account function quite often to send file list updates while I am not at the pc and it is running 99% of the time.
https://autohotkey.com/board/topic/9582 ... -mailsend/
Fortunately it is not a sensitive email account (only used for sending these notifications) and if compromised it is not going to do any damage and all anyone would get is a list of filenames and access to an email account that sends me data.

But I was thinking about how to secure this a little better than having the account and password in plain text in the code so I can use it for other purposes as well.
Using an input box that runs when the program is first started, asking for an a email address and password, and placing the user input to variables, the variables can be used when using the function.

My question is: Can the contents of this variable be accessed once the script is already running?

so something like this:

Code: Select all

start program
input box - email account
input box - email password
idledelay := 3000000

SetTimer, CheckTime, 600000 ;check time every 10 minutes
Return 

CheckTime: 
if (A_WDay > 1) && (A_WDay < 7) && (A_Hour > 06) && (A_Hour < 19) && (A_TimeIdle > idledelay)
{
does stuff
email account variable is sent to the function
email password variable is sent to the function
does more stuff
return
}

The variables are never sent as keystrokes, nor are they copy and pasted. The email being sent is never visible to anyone watching the monitor. So the only way is by some sort of app that displays data in memory. I suspect that there may be some software that can do this but is it something that one should be concerned about?

[waetherman]

I suspect that there may be some software that can do this but is it something that one should be concerned about?

I don't think so. You can encrypt the password in memory, but you only make it harder to acquire the password (and only a little harder), unless you encrypt it with another password, which defeats the purpose of storing the first pass, unless you store more than one password in your script.

If you look for example on Firefox, you can simply go to options-security-logins and show your passwords. It is considered acceptable security-wise to store password like this, saved in an encrypted file - so you have to login into your Windows profile in order to retrieve it (I didn't actually check this is the case with Firefox, but I would bet it is).

You could do something fancy, e.g. store an encryption key divided into two parts, where one is stored on your hard drive and the other on a pendrive you always take with you. A Malicious software can still access it if it's running when the stick is inside your PC, but it could also just monitor the memory. Would someone care enough to do that? No.

[rootmos]

AHK scripts will always be easy to reverse-engineer, even if they are compiled and compressed with mpress/upx for example. I wrote some code a few weeks ago, I got my mail and password information in a ini file and didn't want it in plain-text so I decided to XOR crypt the mail/password strings in the ini file, using a secret key for decrypting the strings again. This works OK if you want to get prompted for a secret key everytime your script is trying to send the mail, since the script needs to decrypt mail/password before sending the mail. I couldnt come up with a good solution for this so I hardcoded the secret key inside the script, which makes everything kinda useless for the advanced hackz0rz, but for the scriptkiddies and nubs, it will be decent enough i belive!

If you are instrested have a look at:
https://github.com/rootm0s/DomainWatcher

[grant]

The password in question is never sent as text, never pasted, never written to disk and appears no-where in your code (only the variable name is in the code).

What I meant was when you run the program, the program asks you for your password and stores that in a variable (not saved in an ini or any other file on disk).
I get up and go out, leaving the pc with the program now running and every hour the pc checks a file list, if the list changes it fires a mail to me, using that password I gave it when I started the program.
When the program crashes or is stopped in any way and you restart the program, you again have to enter the password before it will run.
If you enter the wrong password, the program will appear to run but the email will never send as it cannot authenticate the gmail access.

Obviously if the password is sent as text or pasted in any way during the programs run it changes things. i.e your program sends the password as text or pastes it into a password field on a webpage, this is significantly less "safe". A person that sees what is happening can just throw a notepad over the field and you can intercept it that way.

[waetherman]

The password in question is never sent as text, never pasted, never written to disk and appears no-where in your code (only the variable name is in the code).

What I meant was when you run the program, the program asks you for your password and stores that in a variable (not saved in an ini or any other file on disk).
I get up and go out, leaving the pc with the program now running and every hour the pc checks a file list, if the list changes it fires a mail to me, using that password I gave it when I started the program.
When the program crashes or is stopped in any way and you restart the program, you again have to enter the password before it will run.
If you enter the wrong password, the program will appear to run but the email will never send as it cannot authenticate the gmail access.

Obviously if the password is sent as text or pasted in any way during the programs run it changes things. i.e your program sends the password as text or pastes it into a password field on a webpage, this is significantly less "safe". A person that sees what is happening can just throw a notepad over the field and you can intercept it that way.

You store the password in memory - it can be easily read from there. You can encrypt it, but then it's easy to read the source of your script to get the decryption method.

[rootmos]

Dont think you understand my code then, because variable u = "test" is the password, or as I call it, a secret key to decrypt/encrypt my mail/password.

[grant]

That is more or less what I thought, thanks.

[Shadowpheonix]

I have several similar functions that require passwords for things they access. What I do is have my script prompt for the password, and then use KeePass to auto-fill the prompt. I do this by having a SetTimer routine in my script that checks for my password prompt windows and when it finds one, it sends my KeePass hotkey.

IE: Something like this...

Code: Select all

SetTitleMatchMode, 2
SetTimer, CheckForPasswordWindows, 250
F11::
InputBox, App1Pass,  Application 1 Password, Please enter the password for Application 1.
; Do stuff for "Application 1"
Return

F12::
InputBox, App2Pass,  Application 2 Password, Please enter the password for Application 2.
; Do stuff for "Application 2"
Return

CheckForPasswordWindows:
IfWinExist, Password, Please enter the password
    Send ^!a    ; Ctrl+Alt+A is the hotkey I defined in KeePass for auto-typing passwords.   KeePass has a window filter to detect which password to type.
Return

[lexikos]

If the script is not compiled, ListVars can be triggered from the menus of the script's main window, or by sending the message which corresponds to that menu item. If you are storing the password in a global variable (or in a function which is running when the message is received), it is easy for others to view the password if they know where to look.

If you store the password in an array or object instead of directly in a variable (as a string), currently that would prevent it from appearing in ListVars, because ListVars does not show the content of objects.

However, if the script is not compiled, you can attach to it with a debugger and inspect variables and objects. You can also step through the code line by line to the point where the password is used, so "hiding" it in a local/static variable won't really work.

If the script is compiled, ListVars is disabled by default and debugging is disabled (actually, the debugger engine is omitted from the executable).