I want to create an encrypted file containing some important passwords. Ideally, I would be able to open that file in a plaintext editor and edit passwords just like I would with any other plaintext file.
I've seen different suggestions to create an encrypted disk image for the folder containing the password file to be encrypted. However, I'd have to re-create that disk image every time I wanted to edit the password file, which seems excessive.
This is my file, secrets.yaml:
google.com:
username: mygoogleusername
password: mygooglepassword
facebook.com:
username: myfacebookusername
password: myfacebookpassword
How can I password-protect this file? Is it sufficient to run something like chmod 600 secrets.yaml (i.e. assign read-write to the owner of the file only)?
You will have to use tools for individual file encryption, like AxCrypt. It can do 128, 256-bit encryption for an individual file of any kind, by setting a key as you expect, and only you can open the file.
AxCrypt
Related
I'd like help in setting password in a batch file but without exposing password.
If I SET password="abc123", I don't want abc123 to be visible in the batch file, as other people will be running the .bat file.
There is unfortunately no good solution to hide a password in batch
Even if you crypt it, change it to HEX, hide it in an Alternative Data Stream (ADS) or whatever you want.
At a moment you have to test the value in your code with an IF test.
At this point the password, crypted or not, will be visible or settedin a variable that can be echoed.
You can also compress your BAT in a self-extracting .EXE, but this is very easy to crack, while the .BAT file have to be decompressed before you run it (in the %temp% folder).
So there is no way to really hide a password in a .BAT file
You can try this method : Password hidden using ADS
create and save your batch file
use the ECHO command to 'place' your password into an ADS attached
to your batch file
use redirection to read the password from the ADS (Alternative Data
Stream) file
I saved a publish profile into an .xml along wit all the login info. But when i import this XML to another computer and try to publish, it'll say that my password is incorrect.
What can I do to have the password correctly saved into the publish profile and compatible with other computer?
My guess is that the program purposely obfuscates the passwords using the current PC's "salt" and generates a unique hash. Thus, preventing the passwords from being stolen via the profile publish function.
As mentioned by user1785999, you can save the password in plain text, just add the password element to your .pubxml file:
<UserName>YourName</UserName>
<Password>YourPassword</Password>
If you want the publishing profile to work across different computers, you need to save the password in plain text.
Just to add an additional answer, this may be version specific for .pubxml, but you can add these line to ensure visual studio save the password.
Make sure to use the ".\" prefix for a local account, and "domain\" prefix for an Active Directory account.
<UserName>.\PubUser1</UserName>
<UserPWD>Password1234</UserPWD>
<_SavePWD>True</_SavePWD>
I am using command line with bash in Mac OS X. I will ask in my script:
Enter your password?
>
Do you want to save it and do not ask this more?
The password is to unzip a file. To do this, it always has to be entered, but I want it to only be entered once.
I can easily save it in a text file, but that is too obvious.
So I want to save it in the system. Windows has the "Windows Registry". Is there a similar system in Mac OS X (or Unix) that I can save it in and it will not be lost?
Or is there another way to save the password and it will be more secure? I know if someone runs the script with debug mode (showing how the command line is created) he will easy find the password, but he will have to get the computer, so is a kind of physical security.
You could do it the way system passwords are stored: use a plain text file but store a checksum instead of plain text password. It would be best of the file wasn't accessible to the user, but even if it is, it's not that easy to reverse a checksum. Suppose you read the password into variable password. Then, you could do something like echo "$password" | sha1sum - > password_file. Then at next login, run the password provided by user through the same command and compare results. This way you can check if they entered the correct password without storing the password in cleartext.
Either use your OS's keyring (OSX has something like this), or store it in plain text. Don't pretend that you are secure when you are not. If you cannot store things securely, then store them in plain sight, so the user is not given a false sense of security.
How can I create a new file with a file format of say .kuy.This file would be holding encrypted data. And then later I could choose that file with extension .kuy to decrypt. So if I encrypted soundfile.aup, the encrypted file would be soundfile.aup.kuy, then the user would proceed to decrypting that file in which case the output would be soundfile.aup.
Thank you,
Bobby
You can assign a file extension to your application by going to your Target's info window and selecting the Properties tab:
After that, you just need to add your desired extension when you save a file.
As Steve suggests, first you have to create a custom file format. After that, whenever a custom file gets open - double click or whatever - its path will be passed to application:openFile:. http://developer.apple.com/library/mac/documentation/Cocoa/Reference/NSApplicationDelegate_Protocol/Reference/Reference.html#//apple_ref/doc/uid/TP40008592-CH1-SW29
Once you have the path, do your logic and you should be fine.
I'm looking for a way to dump (export) the contents of an OS X keychain into a file that I can easily process elsewhere, such as tab-delimited plaintext or something of the sort.
The Keychain Access app does not offer any such functionality, and getting a key's data involves opening each in turn, and having to type in the keychain's password to see the password stored with the key, every time.
After a bit of digging, I found somebody's solution by using AppleScript and the Keychain Scripting app to access keychains (can't link to individual post; scroll down about two thirds to the end of the page):
http://discussions.apple.com/thread.jspa?threadID=1398759
Using Keychain scripting, you can access all data fields of all the keys – including the plaintext password! – and it's fairly easy to dump this data into a text file etc. I've tested it and it works well.
However, this solution still involves having to confirm access to each key by clicking OK on a dialog. This is much better than having to type in the keychain's password every time, but it's still irritating. Furthermore, you have to confirm access twice for each key; once for Script Editor (or the script itself if it's running as an app) and once for Keychain Scripting. So, if you're processing a keychain with 100 keys, you have to manually click OK on 200 dialogs.
I'm now looking for a solution to get around this. I realize that as it's the purpose of keychains to safeguard the sensitive data and prevent precisely the kind of thing I'm trying to do, any such solution would probably involve some kind of hack.
I'd be very interested in your ideas!
Allright, I'm stupid. There's a command-line tool called security that does just this (and lots of other actions on keychains).
An example usage:
security dump-keychain -d login.keychain
This will dump all the data in the login.keychain (the default keychain for a user) as plaintext, including the passwords. You still have to confirm access , but only once for each key, and it's much faster than (and doesn't throw weird errors when trying to access certain fields) using AppleScript. And it's no hack.
Without the -d option, it will dump all the fields except for the password.
The dumped data for a key looks like this (for an internet key; program keys and certificates have other fields, but the format is the same):
keychain: "/Users/<username>/Library/Keychains/login.keychain"
class: "inet"
attributes:
0x00000007 <blob>="tech.slashdot.org (<username for this web login>)"
0x00000008 <blob>=<NULL>
"acct"<blob>="<username for this web login>"
"atyp"<blob>="form"
"cdat"<timedate>=0x32303038303432333038323730355A00 "20080423082705Z\000"
"crtr"<uint32>=<NULL>
"cusi"<sint32>=<NULL>
"desc"<blob>="Kennwort des Web-Formulars"
"icmt"<blob>="default"
"invi"<sint32>=<NULL>
"mdat"<timedate>=0x32303038303432333038323730355A00 "20080423082705Z\000"
"nega"<sint32>=<NULL>
"path"<blob>=<NULL>
"port"<uint32>=0x00000000
"prot"<blob>=<NULL>
"ptcl"<uint32>="http"
"scrp"<sint32>=<NULL>
"sdmn"<blob>=<NULL>
"srvr"<blob>="tech.slashdot.org"
"type"<uint32>=<NULL>
data:
"<the plaintext password for this key>"
Please read this: https://gist.github.com/rmondello/b933231b1fcc83a7db0b
Ignore:-----
I found a sollution to the "Always Allow" dialog in each key!
Just run the previous command with sudo.
sudo security dump-keychain -d login.keychain
This way you'll only need to enter your password two times. One on the Terminal to sudo and another to unlock the keychain! ;)
Have a nice day!
Update, there is now a tool that does this nicely:
Keychaindump is a proof-of-concept tool for reading OS X keychain passwords as root. It hunts for unlocked keychain master keys located in the memory space of the securityd process, and uses them to decrypt keychain files.
Source: https://github.com/juuso/keychaindump
Actually I was just looking for the same:
Modified applescript from github somebody posted. To be run in ScriptEditor and must be allowed in Preferences & Security.
set keychainPassword to "yourpasswordgoeshere"
tell application "System Events"
repeat while exists (processes where name is "SecurityAgent")
tell process "SecurityAgent"
delay 0.1
try
set value of text field 1 of window 1 to keychainPassword
click button "Allow" of window 1
end try
end tell
end repeat
end tell
You must click each window separetly in order to activate them. For that I used tool "murgaa auto clicker" I had known from runescape many years ago (http://www.murgaa.com/auto-clicker-mac/ seems still active). You just set shortcut for autoclicking (eg. Command+R) and set timer to 10ms and it works like charm.
Keysafe
Keysafe reads and decrypts Apple Keychain files. Use Keysafe to securely access your passwords and credentials without a Mac.
I wrote a tool called Keysafe to extract the contents of Keychain files. The tool is available on Mac, Windows, and Linux.
Keysafe is not free; a licence is required to fully decrypt a Keychain. Without a licence the contents are still extracted but the decrypted values are partially redacted and secure notes are not post-processed into RTFD files.
If you have a Keychain that does not "just work" with Keysafe, please get in touch. The Keychain format is expansive and finding edge cases is always interesting.
I found solution for not clicking "Allow" multiple times
sudo su
security dump-keychain -d /Users/YourUsername/Library/Keychains/login.keychain