1

This is a question with a rather small scope, but I'm running a lot of windows command prompt commands that involve using the admin password. I can either have part of the command be "/user:administrator /password:examplepassword", where examplepassword is in plaintext, or I can just have "/user:administrator", and it prompts me for the password, which I then enter masked (*******).

So, my question is simply this: is entering the password in the plaintext secure? (obviously besides the simple over-the-shoulder insecurity of it). Are command line arguments saved anywhere on the computer after a command prompt session is closed?

Thanks!

Nathan
  • 73,987
  • 14
  • 40
  • 69
  • 2
    Because the command prompt doesn't know you're entering a password, it won't take any of the recommended precautions, such as zeroing the memory buffer used to store the password after using it. This means there's a chance that a copy of the password will wind up in the swap file. However, under normal circumstances, I wouldn't consider this a serious issue. – Harry Johnston Oct 25 '12 at 20:09

1 Answers1

2

The Windows command prompt does not save history between invocations. There are several hacks about that try to emulate this behaviour, but the basic tool doesn't support it.

Of course, command line statements can be stored in batch files and then it would be advantageous not to declare the password in-line.

Otherwise, you are correct. Using the second option merely protects you from shoulder-surfing or malicious access to an open command prompt (with a live history). Personally I think those are sufficient reasons to use the second option.

Finally, it's worth noting that both solutions are vulnerable to key logging.

Duncan Jones
  • 67,400
  • 29
  • 193
  • 254