How safe is using scripts / batch files / macros that involve password form filling?

Discussion in 'malware problems & news' started by connect4, Dec 19, 2009.

Thread Status:
Not open for further replies.
  1. connect4

    connect4 Registered Member

    Joined:
    May 20, 2008
    Posts:
    101
    It seems that RoboForm password filler is safer than manually typing in your password for websites.
    http://www.roboform.com/anti-keylogger.html

    "..Quick Typing. Roboform enters password quickly and it presses Submit button quickly, so many keyloggers will not be fast enough to get web page password from the page..."


    What about using Batch files or Macros?

    I mean would it be safer or more vulnerable to use a batch file or a macro to input your password into a program, for example TrueCrypt password prompt.

    For example: If I were to mount a TrueCrypt container, it would pop up a password promt in which I would have to manually enter in my password.

    Now, would it make it any more or less safe using a batch file to mount my TrueCrypt container?
    Example: Create a batch file that uses TrueCrypt command line feature to mount my container.

    Note:
    This is assuming that no malware or user can access your batch files or macros that would contain your password/s. I want to find out if there are any vulnerabilities to using batch files or macros while they are running. (Hypothetical example: using bat files=> copies ur password somewhere that is insecure that manually typing doesn't do.)
    (Also: I use Macro Express Pro 4 + use Windows XP)
     
  2. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    There is nothing inherently insecure in the using of batch files. Anything that could capture the password from it could capture a manually entered one as well. That said, batch files are plain text. Your password would be stored as plain text on the same PC it's used on. For that reason alone, I wouldn't a batch file to enter a password unless it was encrypted as well. It's also possible that the password would remain stored in RAM for a while where forensic recovery tools could get it.
    "This is assuming that no malware or user can access your batch files or macros that would contain your password/s."
    That is a big and potentially dangerous assumption. Unless the batch files is encrypted or stored on removable media, anyone with physical access to the PC could read it.
     
  3. connect4

    connect4 Registered Member

    Joined:
    May 20, 2008
    Posts:
    101
    Hmm this is interesting, I want to look into encrypting batch files / scripts...



    So you are saying that using batch files and macro scripts in and of themselves don't make it any more or less secure than manually typing in passwords, correct?

    With that being said, is there a way to use a program to make password filling more secure? (Ex: Roboform for website login filling)

    Also it seems that some of these programs could be potentially used for this purpose but I am not sure: http://www.snapfiles.com/Shareware/security/swpass.html

    Any thoughts on these programs or other secure methods for password filling?




    This has nothing to do with using Batch files and Macros correct?
     
    Last edited: Dec 20, 2009
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Correct. The batch file or script doesn't introduce any additional vulnerability to the actual process of entering the password. The big difference when using a batch file or script is that the password is on your hard drive, media, or external device in plain text. Regardless of what you name the script or batch file, it could be found by searching for all files with specific file extensions, examples:
    *.cmd
    *.bat
    *.vbs
    Correct. Well designed strong encryption programs will take steps to ensure that a password stored in RAM is overwritten or otherwise made unrecoverable. Most other user software will not go to that extreme.

    I can't offer any opinion on Roboform or other password software. For websites such as forums and webmail accounts, I use the browsers built in password manager. For more sensitive passwords like those for online banking or credit card sites and those used to mount encrypted containers or partitions, I enter these manually.

    IMO, storing sensitive passwords on your system is an unnecessary risk. It's another piece of software that the criminal element will be probing and trying to crack, which means that it will probably need regular updating. No matter how good the password app is, it will only be as secure as the OS it's running on.
     
  5. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    Incorrect. When run under command-line, TrueCrypt will pause at the appropriate moment and present the user with the standard password entry screen. You can also (if desired) hardcode the password into the batchfile using the /p switch, but this will of course create a security risk.
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That's basically what I just said. Having the password in a batch file or script is an unnecessary risk, not just with TrueCrypt but with any sensitive password.
     
Loading...
Thread Status:
Not open for further replies.