Securing passwords

cymplecy · December 15, 2022, 12:17pm

Looking for people to test security of this method

I've recently had the need to enter a password into a program to access some data

But I don't want to have to enter the password everytime I run the script so I've come up with this "secure" method of just needing to ask for the password once.

_password is set to be transient so it shouldn't be saved when script saved

If _password already set then it won't ask for it

answer is cleared down so that it's not left in there either

Here is a script pic as well as program (in case _password is exposed in a script pic)

Please let me know if you can read my password

Forgot link

joecooldoo · December 15, 2022, 4:31pm

I don't think the variable is stored in the metadata of the image. I imported the script but found no trace of the password visually. To look deeper, you might want to dig around in the metadata of the image.

ten_6044 · December 16, 2022, 3:35pm

There's a block that allows you to "encrypt" your password that encodes with sha512 hash.

However it's hidden in dev mode, so:

Shift-click the Snap! logo in the editor, then choose Switch to dev mode.
Go to operators, scroll and find this block

calculator · December 16, 2022, 3:52pm

Is there any way to decrypt it?

ten_6044 · December 16, 2022, 3:54pm

SHA512 was for security, for Security, and avoid attackers and malware, there's no way to decrypt it.

cymplecy · December 16, 2022, 4:18pm

This thread is about securing a password from accidently disclosing it not about encryption

joecooldoo · December 16, 2022, 8:47pm

cymplecy · December 16, 2022, 9:09pm

I've tested it to my satisfaction but wanted to see if anyone else could see any flaws in the script/concept

cymplecy · December 17, 2022, 9:59am

So this is what I'm using it for

I can (hopefully) publish a program like this

that doesn't store my MQTT broker write access password (my broker allows anyone to read topics (such as cheerlights/#) but needs a password to publish to them

programmer_user · December 22, 2022, 7:11pm

i think this should be fine as long is the variable isn't stored in the project state? one way i feel like you could test the security of this is to enter your password then download and search for the password in the project metadata
for instance, enter "GenericProjectPassword" then download it and use a text editor to attempt to find that string in the project

system · January 21, 2023, 7:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.