|Jan 31, 2013, 10:36 PM||#1|
Passwords in AppleScript
I'm pretty new to AppleScript and want to write a fairly basic script that logs me into a website that has the irritating trait of logging me out every 15 minutes. The website's on a medium security level for me: I'm OK having a script constantly log into it, but I'd like to avoid people getting in if at all possible. Of course, I could just write a script telling it to put in my username and password, but if some unscrupulous person gets hold of my computer, the plain-English nature of AppleScript will probably make my password pretty obvious.
So, the question is...does anyone know of a way to get around putting the password directly in the script? An idea I had is having an encrypted .txt file with the password and the script somehow decrypting it, but I'm not really sure how to go about doing that or whether that's even any more secure. If the file's just encrypted with another password, then that password will have to go in the script, of course. I also thought about turning the script into an app, but again, I don't know if that's any better.
Thanks in advance!
PS I've tried this: https://www.google.com/#hl=en&tbo=d&...ut+in+password and this: https://www.google.com/#hl=en&tbo=d&...enter+password, plus a few more similar searches, but all I've really found is some stuff about Terminal that doesn't seem relevant, and this: http://forums.whirlpool.net.au/archive/1090217 which goes to no lengths to secure the password. This feels like a question somebody must have had before and I don't want to spam the forum, but I can't seem to find anything...apologies if I missed something.
|Feb 1, 2013, 12:51 AM||#2|
Anything with automated access to a secret can have its builtin secret extracted. Unless you secure the automaton itself, using another secret. And then it's turtles all the way down.
If you put the secret itself on an external device, such as a USB flash drive, and have the script read it from there using a known pathname, then at least the secret is separable from the script. However, since you didn't describe how you expect your computer to fall into unscrupulous hands, I don't know whether that's a viable strategy or not. Separability is much less useful if the two parts always travel together, e.g. you use an SD card that remains plugged in all the time.
Frankly, I can't think of any kind of website where I'd need to be continually logging in, where I was concerned about the password. Not even a banking or securities trading site. I'd be more concerned that an unscrupulous person would walk off with my $1500 computer, rather than that the password I log in with was compromised. If I was that concerned about the physical security of the computer, I'd simply not use that website in a public place from my mobile computer.
If there's some other meaning attached to this particular password, such as you reuse it on multiple sites, then the solution there is to stop doing that. You should have a contingency plan for revoking, resetting, or invalidating any high-value password. The purpose of such a plan is to lower the value of the password.
I don't know of any security problems that are resolved by being vague about the details. All vagueness does is mask weaknesses or allow sloppy analysis. Only a clear and frank discussion of exactly what's being defended, and against what attacks, is likely to result in a solution. So maybe you should clearly explain what the website is, why it has a 15-minute expiry, why logging in repeatedly with a script isn't a fundamental security problem, and what kind of physical attacks on your computer you're trying to thwart.
Last edited by chown33; Feb 1, 2013 at 01:10 AM.
|Thread Tools||Search this Thread|
All times are GMT -5. The time now is 01:38 AM.