1

My script is going to use WMI to connect to remote systems and I was looking at this post on how to go about doing so. It looks like I may need to pass in the username and password.

I am executing my script on remote systems with a Java program that runs it and parses the STDIN output.

Is it safe to pass in a password as a variable?

From the Java side the password will be in a property file (or a different method -- I'm not yet sure the best way to go about that, but its a different story) and I'll pass it in when I call the script.

Community
  • 1
  • 1
Envin
  • 1,463
  • 8
  • 32
  • 69

2 Answers2

1

never ever send passwords in plain. Use always a one way hash algorithm like MD5 to encrypt the password entered by a user.

Further never save a password as plain text anywhere. Always store the hash and compare this with the hashed input of the user.

Some articles to start with VBScript:

Community
  • 1
  • 1
Marvin Emil Brach
  • 3,984
  • 1
  • 32
  • 62
  • 2
    MD5 isn't really ideal either since it is insecure. – Darren Jun 24 '13 at 12:54
  • So would I just pass the encrypted version in the script and decrypt it right before sending it where it needs to go? – Envin Jun 24 '13 at 12:57
  • No. You don't decrypt the password (if it's possible to decrypt so it is not save)! You compare only the encrypted values, while using such algorithm (MD5 or better: a saver one! thanks to Darren Davies) – Marvin Emil Brach Jun 24 '13 at 13:01
  • 1
    Nothing wrong with sending plaintext passwords when the connection is encrypted. Basically you have 2 options: a) send the unencrypted password and have the server check it against a stored hash or b) send a hash and have the server compare it against the hash of a stored plaintext password. Otherwise a transmitted hash would be the exact same as transmitted plaintext. Besides, you're not always free what to provide as it depends on what the server allows/requires, so sometimes you have to store the plain password in your script. Also, **DO NOT** use home-grown encryption algorithms. **EVER.** – Ansgar Wiechers Jun 24 '13 at 13:32
0

If you are worried about sending the password in plaintext via network for a WMI request: This link says that if you have Kerberos authentication in use, password/username cannot be intercepted on the network. http://msdn.microsoft.com/en-us/library/windows/desktop/aa393720(v=vs.85).aspx Check if this helps you out.

If you are worried about saving the password on the machine (which you want use for a WMI request): Encrypt it and store in some db/file, decrypt it whenever you want to send it across
And yes, you should use existing standard encryption mechanisms.

Rupali K
  • 66
  • 2