Safe handling of passwords

[Leli196]

Hello guys,

I have a few questions about the safe handling of passwords by AHK. I already searched for answers here and on the internet but it is a very difficult topic.
However, here are my questions:

1) Are passwords stored in a variable in a script safe? E.g. when I tell a script a password by typing it into an InputBox and this script stores the pw as a variable and the script remains running indefinite.

2) Are passwords stored as plain text in a script safe if this script is compiled (in .exe format), assumed the script asks about a master password first?

3) If I want to have a text file or the script itself encrypted so that I have to type in a master password fist, how would this be possible? I have found nothing regarding this question.

Most of the time the people were writing about something that others called security through obscurity and not real encryption. I do not need a super duper safe method to store my password, just plain encryption with a master password.


Greetings Leli196

[Exaskryz]

Define safe. And what is the purpose of your script?

My answers are not definitive. Someone may know better, and I kind of have to do some speculation based on what you mean.

1) Looking up the value of the variable is possible. Maybe a malicious party can figure out the password if they gained access to your computer.

2) Most likely not because you can access the source code if you try.

3) I'm not sure. But if you have some encryption algorithm and it needs a key to work, that could be what you're going for. I don't know how it would make the script itself work, but a text file could be saved as junk text, and it can be read into memory using the key to translate it into something sensible. But that can be defeated if people could see the source code to see the algorithm, and then bruteforce for the key.

You might be able to cope with these things if this is for personal use, or for something very low-key and that protects no sensitive information.

[Leli196]

Hello,

thanks for your reply.

The purpose of the script is to auto log in to some services (not highly sensitive like shops or banks etc.).

About 3): So i do not care about the possibility of a bruteforce attack as I would choose a master password that is safe enough to withstand this. So this method would be a nice solution. However, I have no clue how the code in AHK should look like to decrypt a text file by using a master password. Also the password would be not 100% safe then as it would be stored in a variable (ref. 1)), right?

Additionally I have another question. I read about the possibility to have a whole (compiled) script secured by a password so that you can only gain access with the pw. Would passwords stored in such a script be safer in any way (referring to 2))?


Greetings Leli196

[Shadowpheonix]

I personally use Keepass to store passwords, then have AutoHotkey automatically trigger Keepass' built in auto-fill whenever specific windows appear.

[Leli196]

Yeah I use another password manager myself and already thought of using it. However, the service I want to log in to does not accept paste so AHK needs to store the pw in a variable at some point to type it in.
Furthermore I ask myself how your script looks like. Does AHK trigger specific controls of Keepass or does it just clicks where it needs to (which would be a very simple but unreliable method)?

I would like to hear some more opinions on this topic, especially if somebody knows how to establish real encryption on a text file and then ask after a master password. Additionally the question remains whether it makes any sense to secure a compiled script with a password (mabye it works for my purposes).

Greetings Leli196

[Shadowpheonix]

KeePass can actually type the credentials instead of pasting, so there is no issue with those types of windows.

The setup I have is KeePass is configured with the credentials & auto-type sequences for the various windows. KeePass itself is configured to perform the auto-type for the active window when Ctrl+Alt+A is pressed. I use a SetTimer routine in AutoHotkey to detect if certain windows exist and take action if they do - for login windows, the actions are to activate the window, focus the user ID field (by using ControlClick when possible, otherwise clicking mouse coordinates), and then press Ctrl+Alt+A. I have yet to encounter a window this does not work with.


Compiled AutoHotkey scripts can be decompiled by anyone who gets their hands on the EXE. If it is for your own personal use and you are reasonably confident no one else will get access to the file, then that is probably fine.

[Exaskryz]

This is just a quick example of something that may apply to you, without a password manager. This level of encryption is terrible, but AFAIK, it avoids storing values into a variable. (Thought they may be stored in memory).

Code: Select all

; FileRead line to load in the 'encrypted' password "gorf"
password:="!gorf"

^6:: ; send the password
Loop % StrLen(password)
Send % "{Raw}" SubStr(password,StrLen(password)+1-A_Index,1)
return

You won't find an explicit variable with ListVars that holds the value of the password, I don't think.

The code above doesn't use a particular key to validate the passwords. You can look on the forums to use a key to disrupt the algorithm for producing the password, I know there's been many good examples shared.

[Leli196]

Actually I have to admit that I do not quite understand your code.

The code above doesn't use a particular key to validate the passwords. You can look on the forums to use a key to disrupt the algorithm for producing the password, I know there's been many good examples shared.

It would be nice if you could post some links regarding this.


Greetings Leli196

[Exaskryz]

https://autohotkey.com/boards/viewtopic ... ion#p33914 was something I searched for, though this looks like it's for files due to the drag and drop? I haven't reviewed the code at all. All I did was search on this forum for "password encryption" to come up with some results.

https://autohotkey.com/boards/viewtopic ... encryption -- though one reply to that says that entering a password (a master password as a key, maybe) makes no difference. In other words that there's no check for the right password.

Actually I have to admit that I do not quite understand your code.

If you executed it, it should become clear. What that code above does is takes whatever string is in the value of password and reverses it. !gorf -> frog!. Doing that kind of reverse isn't very secure, but it's an example of how you don't store the string "frog!" in a variable - it was instead sent one character at a time. And even those single characters weren't stored in any particular variable.

[Leli196]

Thanks, the first one looks really nice. There were so much different results when searching for encryption via google and the forum (with people always complaining that it is unsafe etc.) that I lost track of it.

I wrote a short scipt to test the function Crypt.ahk and it seems to work quite well.

Code: Select all

#Include Crypt.ahk
#Include CryptConst.ahk
#Include CryptFoos.ahk

^1::
str := "Hello, this is a string!"
pass := "xyz"
result1 := % Crypt.Encrypt.StrEncrypt(str, pass, 7, 6)
MsgBox, %result1%
Return

^2::
str := result1
result2 := % Crypt.Encrypt.StrDecrypt(str, pass, 7, 6)
MsgBox, %result2%
Return

So I want to have a few strings stored in a text file in an encrypted form and then the script should ask me about the password to decrypt it. What would be the best method to store the encrypted strings? In an .ini file? Or maybe just in the script?

If you executed it, it should become clear. What that code above does is takes whatever string is in the value of password and reverses it. !gorf -> frog!. Doing that kind of reverse isn't very secure, but it's an example of how you don't store the string "frog!" in a variable - it was instead sent one character at a time. And even those single characters weren't stored in any particular variable.

So this sounds reasonable to me. It means that the then decrypted pw is not typed in in its original way but reversed? If yes, I see what your example does, now. I would store the reversed pw in an encrypted way then and have it typed in reversed, right? This is of course no encryption at all, but it is better than having the pw just in a variable.
Wouldn't it also be reasonable then to have the pw split first and then brought together when it is typed in?


Greetings Leli196

[Exaskryz]

The reversing wouldn't be a requirement. I just used that as a very simple way to demonstrate a form of encryption, instead of something elaborate (more secure I'd imagine) like the first link I shared with you. If you use something like Send % function(), then you don't need to do variable:=function() followed by Send %variable%, because it skips storing the output of the function into a variable to be accessed later. Though, all of this might be losing the scope of how likely it is for someone to sniff around in your running AHK script and look for variables and their values to crack your password.

What I would intend for you to do is say you use the .StrEncrypt() method to generate a result. Save that into some file. Then you would use FileRead (or IniRead) to pull in the encrypted string. This will be the first parameter of the .StrDecrypt(). Your password or key to decrypting it would be the "xyz" you used in the sample code in your previous post. Then you can simply use Send % Crypt.Encrypt.StrDecrypt(str, pass, 7, 6). The real password - the decrypted string - will not be stored in a variable visible in ListVars if you did this approach.

Wouldn't it also be reasonable then to have the pw split first and then brought together when it is typed in?

I'm not sure what you mean by this.

[Leli196]

Hi, thanks a lot for your help!

I'm not sure what you mean by this.

Never mind, it is irrelevant now.


Greetings

[IRBaboon]

I'm not sure that the crypt.ahk library is fully working. There may be problems with Unicode/UTF-8 and/or x64 systems. But im not sure.
Here's another one for TAE algorithm by Laszlo : https://autohotkey.com/board/topic/4147 ... encryptor/. Whatever you do, you're still vulnerable against Keylogging.