Securing passwords

Looking for people to test security of this method

I've recently had the need to enter a password into a program to access some data

But I don't want to have to enter the password everytime I run the script so I've come up with this "secure" :slight_smile: method of just needing to ask for the password once.

image

_password is set to be transient so it shouldn't be saved when script saved

If _password already set then it won't ask for it

answer is cleared down so that it's not left in there either

Here is a script pic as well as program (in case _password is exposed in a script pic)

Please let me know if you can read my password :slight_smile:

password script pic
Forgot link :slight_smile:

https://snap.berkeley.edu/snap/snap.html#present:Username=cymplecy&ProjectName=password&editMode

I don't think the variable is stored in the metadata of the image. I imported the script but found no trace of the password visually. To look deeper, you might want to dig around in the metadata of the image.

There's a block that allows you to "encrypt" your password that encodes with sha512 hash.
password script pic

However it's hidden in dev mode, so:

  1. Shift-click the Snap! logo in the editor, then choose Switch to dev mode.
  2. Go to operators, scroll and find this block

Is there any way to decrypt it?

SHA512 was for security, for :shield: Security, and avoid attackers and malware, there's no way to decrypt it.

This thread is about securing a password from accidently disclosing it not about encryption :slight_smile:

I've tested it to my satisfaction but wanted to see if anyone else could see any flaws in the script/concept

So this is what I'm using it for

I can (hopefully) publish a program like this
passwordMQTT script pic

that doesn't store my MQTT broker write access password (my broker allows anyone to read topics (such as cheerlights/#) but needs a password to publish to them

i think this should be fine as long is the variable isn't stored in the project state? one way i feel like you could test the security of this is to enter your password then download and search for the password in the project metadata
for instance, enter "GenericProjectPassword" then download it and use a text editor to attempt to find that string in the project

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.