Encrypt username / password?

Discussion forum for all Windows batch related topics.

Moderator: DosItHelp

Post Reply
Message
Author
SIMMS7400
Posts: 446
Joined: 07 Jan 2016 07:47

Encrypt username / password?

#1 Post by SIMMS7400 » 23 Sep 2016 07:09

HI Folks -

There are a few processes I run that I would like to hide the username and passwords.

How have you handled this in your environments? Is there a way to make a hidden folder that can be referenced? Granted, anyone with an elevated scripting background could crack these easily, but that's not the case here. I dont need to worry about that. I"m just doing it for compliance purposes.

Are there any worthy utilities out there to do this?

Any suggestions are greatly appreciated, thanks!

Squashman
Expert
Posts: 4114
Joined: 23 Dec 2011 13:59

Re: Encyrpt username / password?

#2 Post by Squashman » 23 Sep 2016 07:18

Been talked about plenty of times on the forum.
http://lmgtfy.com/?q=encrypt+password+s ... ostips.com

batchcc
Posts: 137
Joined: 17 Aug 2015 06:05
Contact:

Re: Encyrpt username / password?

#3 Post by batchcc » 23 Sep 2016 13:31

For storing passwords you could encrypt them

viewtopic.php?t=5048
viewtopic.php?f=3&t=5566

Of course this doesn't mean someone can't edit the batch file to bypass this.
For making a hidden folder I would recommend taking the file you want to hide and copy /b it into %tmp%/%random%.tmp
This will blend in with other temp files.

ShadowThief
Expert
Posts: 910
Joined: 06 Sep 2013 21:28
Location: Virginia, United States

Re: Encyrpt username / password?

#4 Post by ShadowThief » 24 Sep 2016 03:17

Do NOT encrypt passwords, even in hidden files, especially when the implementation is stored in plaintext. Hash them (and salt them, of course) and store the hashes (and salts) instead. Because hashing is a one-way function (it can't be easily reversed), you can safely* store this information anywhere, provided you're using a strong hash.

Code: Select all

@echo off
setlocal enabledelayedexpansion
cls

echo [R]egister new user
echo [L]og in with existing user
choice /C:RL /N >nul

if %errorlevel% equ 1 goto :register
if %errorlevel% equ 2 goto :login
exit /b

::------------------------------------------------------------------------------
:: Registers a user with an encrypted password.
::
:: Arguments: None
::------------------------------------------------------------------------------
:register
cls
set /p "register_user_name=Desired Username: "

if not exist accounts.txt echo(1>accounts.txt

findstr /c:"!register_user_name!" accounts.txt 1>nul 2>&1 && (
   echo That user already has an account on this host. Exiting.
   pause
   exit /b
)

:setPassword
call :getPassword first_password "Desired Password: "
call :getPassword verify_password "Re-enter Password: "
if not "%first_password%"=="%verify_password%" (
   echo Passwords do not match. Please enter them again.
   echo/
   goto setPassword
) else (
   call :getSHA512 "!date!!time!" salt
   call :getSHA512 "!salt!!first_password!" passhash
)

>>accounts.txt echo %register_user_name% !salt! !passhash!
exit /b

::------------------------------------------------------------------------------
:: Logs in with a username and password
::
:: Arguments: None
::------------------------------------------------------------------------------
:login
cls
set /p "login_user_name=Username: "
call :getPassword given_pass "Password: "

findstr /c:"!login_user_name!" accounts.txt 1>nul 2>&1 || (
   echo Invalid username or password. Exiting.
   pause
   exit /b
)

for /f "tokens=1-3" %%A in ('findstr /c:"!login_user_name!" accounts.txt 2^>nul') do (
   set "stored_salt=%%B"
   set "stored_hash=%%C"
)


call :getSHA512 "!stored_salt!!given_pass!" givenpasshash
if not !givenpasshash!==!stored_hash! (
   echo Invalid username or password. Exiting.
) else (
   echo Login successful.
)

pause
exit /b

::------------------------------------------------------------------------------
:: Returns the SHA512 value of a string that has been echoed to a text file.
::
:: Arguments: %1 - the string to encode
::            %2 - the SHA512 value of %1
::------------------------------------------------------------------------------
:getSHA512
>shafile echo %~1
for /f "delims=" %%A in ('certutil -hashfile shafile SHA512 ^| find /v "hash"') do (
   set line=%%A
   set linehash=!line: =!
)
del shafile

set "%~2=!linehash!"
set "linehash="
goto :eof

::------------------------------------------------------------------------------
:: Hides user input and returns the input as a variable.
:: http://www.dostips.com/forum/viewtopic.php?p=33538#p33538 (and other places)
::
:: Arguments: %1 - the variable to store the password in
::            %2 - the prompt to display when receiving input
::------------------------------------------------------------------------------
:getPassword
set "_password="

:: We need a backspace to handle character removal
for /f %%a in ('"prompt;$H&for %%b in (0) do rem"') do set "BS=%%a"

:: Prompt the user
set /p "=%~2" <nul

:keyLoop
:: Retrieve a keypress
set "key="
for /f "delims=" %%a in ('xcopy /l /w "%~f0" "%~f0" 2^>nul') do if not defined key set "key=%%a"
set "key=%key:~-1%"

:: If No keypress (enter), then exit
:: If backspace, remove character from password and console
:: Otherwise, add a character to password and go ask for next one
if defined key (
    if "%key%"=="%BS%" (
        if defined _password (
         set "_password=%_password:~0,-1%"
      )
    ) else (
        set "_password=%_password%%key%"
        set /p "="<nul
    )
    goto :keyLoop
)
echo/

:: Return password to caller
set "%~1=%_password%"
goto :eof


* - Obviously, anybody who actually looks at the code will know how you generated the hash, be able to create their own login using that generation process, and simply append it to the data file, but it's a good start.

SIMMS7400
Posts: 446
Joined: 07 Jan 2016 07:47

Re: Encyrpt username / password?

#5 Post by SIMMS7400 » 01 Oct 2016 17:52

Exploring a few of these options, thank you all!

Post Reply