[OT] Security in scripting languages

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: [OT] Security in scripting languages
From: Philippe Lhoste <PhiLho@...>
Date: Fri, 15 Feb 2002 18:33:32 +0100 (MET)

I have to ask a question that is slightly off topic here.

First because the mailing list is full of knowledgeable persons that
cumulate an impressive knowledge.
Second because it is not totally OT, actually...

Suppose I use Lua to automate some tasks that need to provide a password.
For example, whilst using with cURL or Sock, to connect to a  site asking for a
password or to provide a password in a form; or for automated tasks (eg.
with AutoIt) needing login or typing a password, etc.

Is there any mean to encrypt the password in the script, so it can be hardly
decyphered by another person?

I have to be more precise. I can easily write two C functions, one to
transform a string into an encrypted one, and another for the reverse operation. I
know there are a number of algorithms for that, and I even created a couple
of simple but effective ones.
These algorithms may not resist a full attack by a cracker, but will fend
off 99% of users.

The problem is that I will put these algorithms in an open source project,
so anybody a bit smart and with some programming knowledge can locate these
routines, and write a little program to decypher the passwords in a script.
And on an office were most of the employees are programmers, this is a big
security risk!

So my question: is there a good algorithm or procedure allowing to put
encrypted passwords in a script, that will resists such attacks?
I doubt so. That's the vulnerability of open source: if you can trace how
the program unencrypt the password, you can decypher it yourself. On this view,
proprietary closed programs are safer, even if not perfect (see how easy it
is to break Windows and Office passwords...).

On the other hand, e-mail programs, among other applications, have to store
the account password, so unless they ask they each time they need them, they
should have a way to protect them. Or not?

Thank you to share your thoughts on the subject.

Regards.

-- 
--=#=--=#=--=#=--=#=--=#=--=#=--=#=--=#=--=#=--
Philippe Lhoste (Paris -- France)
Professional programmer and amateur artist
http://jove.prohosting.com/~philho/
--=#=--=#=--=#=--=#=--=#=--=#=--=#=--=#=--=#=--

GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net

Follow-Ups:
- Re: [OT] Security in scripting languages, Diego Fernandes Nehab
- Re: [OT] Security in scripting languages, Charles Steinkuehler

Prev by Date: Re: for end
Next by Date: RE: [OT] Security in scripting languages
Previous by thread: Re: for end
Next by thread: Re: [OT] Security in scripting languages
Index(es):
- Date
- Thread