Tomasz Chmielewski wrote: > That's exactly what I mean (they are already readable by SYSTEM and > admins only). > > If the disk is stolen, it would add some extra time before the password > is compromised. > > Someone gave a clue here: > > http://cygwin.com/ml/cygwin/2005-12/msg00181.html > > "instead of storing them plaintext, why don't you try encoding them via > cryptographic hashes - md5, sha1, tiger and the like." > > But I don't really know where to start (which tool should I use for it?)
Let's step back a minute. If your script is storing passwords so that it can *supply* them to windows, then you can't store hashes. That only works if your script accepts passwords itself and then verifies them *itself* against the stored hashes. Now, assuming you need to store passwords in plaintext: Without some sort of external storage, there is absolutely nothing you can do to prevent someone that stole the drive from being able to read the plaintext passwords. You can encrypt them up the wazoo, it doesn't matter. To encrypt you have to use a key of some kind, and unless you store that key in a location off of the hard drive, then all the attacker has to do is take the key and use it to decrypt. Put another way, the attacker can do whatever the PC does to access the passwords. So if the PC can access the passwords without data from elsewhere, so can the thief. So, unless you're planning on setting up something where a passphrase not stored on the disk is entered on the keyboard, retrieved from a floppy, etc. then you're wasting your time. If you just want to encrypt to say that you've encrypted, then there are tons of utilities to do this. Try "man openssl" or "man enc" for starters. But again, if you store the encrypted file next along with the key on the disk then you've accomplished absolutely nothing from a security standpoint. (This is assuming you use a key without a passphrase. But if you do that you are essentially no longer storing the key on the disk, since it will require some keyboard input to function.) Brian -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/