Topic "Passwords and DAPI"

Author Message
Charles Sorgie
[View user's profile]

Joined: 2015-03-05
Posts: 12
Greetings,

I have researched and understand Windows Master Passwords and how they work. Thank you for this feature. I am unclear about the following:

(1) On inspection, when site passwords are saved and a Master Password is not set ("not recommended") they do not appear to be stored in clear text. Are they encrypted using the Windows Data Protection API (DAPI) functionality to encrypt strings using the current Windows credentials? If not, how are they encrypted?

(2) I've read and I believe I understand how to make passwords more secure for scripts, thank you. My question is, is there a way to specify the Master Password on the WinSCP.exe command line? I ask because it would then be possible to use PowerShell to first:

$PasswordSecure = Read-Host -Prompt "Password" -AsSecureString
$PasswordText = $PasswordSecure | ConvertFrom-SecureString
Set-Content <path> $PasswordText

...and then the script could:

$PasswordText = Get-Content <path>
$PasswordSecure = $PasswordText | ConvertTo-SecureString
$PasswordBSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($PasswordSecure)
$Password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($PasswordBSTR)
WinSCP.exe /masterpw="$Password" ...

...unless of course WinWCP could accept PowerShell secure strings directly.

Thank you[/list]
Advertisements
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 25786
Location: Prague, Czechia
1) Without master password, passwords are stored with using a simple encryption, that's easy to crack.

2) So why don't you use the same technique for the password (not master password) directly?
Charles Sorgie
[View user's profile]

Joined: 2015-03-05
Posts: 12
martin wrote:
1) Without master password, passwords are stored with using a simple encryption, that's easy to crack.

2) So why don't you use the same technique for the password (not master password) directly?


(1) => As it stands the current encryption allows for settings to be exported and then imported on another machine, very useful.
(2) => Would require one password file per site vs. one password file for all sites. I will try this.

I suggest that the HKCU always use DAPI encryption and an Export have the option of converting it to simple encryption. Import would detect. Master Password would override. Thoughts?
Charles Sorgie
[View user's profile]

Joined: 2015-03-05
Posts: 12
So I have implemented this and it works quite well. From that implementation I have a few feature suggestions. Please let me know if you would rather I post them in the Feature portion of the forum:

(1) Add a Master Password switch. This would have been a big timesaver.
(2) Add the ability to show the cleartext of a password or copy it to the clipboard.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 25786
Location: Prague, Czechia
Charles Sorgie wrote:
(1) Add a Master Password switch. This would have been a big timesaver.

Well in general, we discourage using stored site settings in scripting.
https://winscp.net/eng/docs/scripting#configuration
This would go clearly against that recommendation.

Quote:
(2) Add the ability to show the cleartext of a password or copy it to the clipboard.

See https://winscp.net/eng/docs/faq_password
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License