> I have both scripts and ini pp-related files lying around with > passwords in them. I suppose it would be sensible if they were > obscured.
Can you think of a likely scenario where that would be a problem? Different threats call for different solutions... Why not rely on your OS's security? You presumably type a password each time you logon... If your account was the only one with access those files, that'd already protect you against some threats. > But maybe that's over the top. How about ROT13? Anyone have any > other ideas on how to simply obscure passwords? Well, to begin with, if you want to mix letters, you might as well use a more sophisticated key than ROT13... something that can't be craked without access to the key or at least a few sentences of encrypted text. I had a program which assigned letters to seemingly random numbers and stored passwords in this form: 343,655,313,124,129 That kind of stuff is not only inherently weak but it will also not prevent anyone who has access to the files from reading the passwords by looking at your scripts and inserting a few strategic debug statements... > Certainly in my case I don't want to have to type in a passphrase > everytime one of my ini files is accessed. If you don't mind typing a password each session or each n minutes or something, an easy solution would be to store your sensitive files in an encrypted filesystem. It's safer to rely on code written and possibly reviewed by experts than on your own (assuming you don't know much about crypto). OTOH, if you'd rather never type a password, you could store your key in a USB memory stick or something. > But where do I store the key entered? I could bury it in some > obscure place in the registry? Is it any better than storing it in an obscure file? It would be a touch better to store a hash of the password instead of the password. It won't stop anyone from stealing the hash but it would be a touch harder to use it than to use the password. That's still not much better... > _Or_ I could build a default key into the services: everyoine gets > the same key, no one knows what it is. And so that anyone with access to the plugin would be able to decrypt everyone's stuff... > _Or_ I could do the previous and use it to encrypt the stored key set > by crypto.setKey. That's not any better. Storing it as a hash wouldn't be much better. As far as I can see, there are only two relatively secure and sane approaches to this problem: -using existing crypto software (be it your OS, a utility like GnuPG, or a full-fledged program like PGPdisk) -building a crypto plugin on top of a solid crypto library (and even that would be somewhat risky unless you know what you are doing...) ------------------------ Yahoo! Groups Sponsor --------------------~--> $9.95 domain names from Yahoo!. Register anything. http://us.click.yahoo.com/J8kdrA/y20IAA/yQLSAA/JV_rlB/TM --------------------------------------------------------------------~-> Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/power-pro/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
