Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

Charles Sorgie

Re: Passwords and DAPI

So I have implemented this and it works quite well. From that implementation I have a few feature suggestions. Please let me know if you would rather I post them in the Feature portion of the forum:

(1) Add a Master Password switch. This would have been a big timesaver.
(2) Add the ability to show the cleartext of a password or copy it to the clipboard.
Charles Sorgie

Re: Passwords and DAPI

martin wrote:

1) Without master password, passwords are stored with using a simple encryption, that's easy to crack.

2) So why don't you use the same technique for the password (not master password) directly?


(1) => As it stands the current encryption allows for settings to be exported and then imported on another machine, very useful.
(2) => Would require one password file per site vs. one password file for all sites. I will try this.

I suggest that the HKCU always use DAPI encryption and an Export have the option of converting it to simple encryption. Import would detect. Master Password would override. Thoughts?
martin

Re: Passwords and DAPI

1) Without master password, passwords are stored with using a simple encryption, that's easy to crack.

2) So why don't you use the same technique for the password (not master password) directly?
Charles Sorgie

Passwords and DAPI

Greetings,

I have researched and understand Windows Master Passwords and how they work. Thank you for this feature. I am unclear about the following:

(1) On inspection, when site passwords are saved and a Master Password is not set ("not recommended") they do not appear to be stored in clear text. Are they encrypted using the Windows Data Protection API (DAPI) functionality to encrypt strings using the current Windows credentials? If not, how are they encrypted?

(2) I've read and I believe I understand how to make passwords more secure for scripts, thank you. My question is, is there a way to specify the Master Password on the WinSCP.exe command line? I ask because it would then be possible to use PowerShell to first:

$PasswordSecure = Read-Host -Prompt "Password" -AsSecureString
$PasswordText = $PasswordSecure | ConvertFrom-SecureString
Set-Content <path> $PasswordText

...and then the script could:

$PasswordText = Get-Content <path>
$PasswordSecure = $PasswordText | ConvertTo-SecureString
$PasswordBSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($PasswordSecure)
$Password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($PasswordBSTR)
WinSCP.exe /masterpw="$Password" ...

...unless of course WinWCP could accept PowerShell secure strings directly.

Thank you[/list]