May 10, 2021

Handling of Password storage in AutoHotkey

I share in this post different ways of handling password storage in AutoHotkey.

Registry

The first approach is to store the password in a local user registry key.

Login_GetPassword(){
RegRead, sPassword, HKEY_CURRENT_USER\Software\PowerTools, Password
If (sPasswordKey=""){
    InputBox, sPassword, Password Key, Enter Password, Hide, 200, 125
    If ErrorLevel
        return
}
RegWrite, REG_SZ, HKEY_CURRENT_USER\Software\PowerTools, Password, %sPassword%    
return sPassword
} ; eofun

Note in the code above the use of the Hide option in the InputBox: this will replace your input by *.

The registry key store in HKEY_CURRENT_USER is only accessible from the login user - means if you leave your PC locked when not using it, nobody shall be able to access it.

There is though one critical scenario: if you share your code as open source then potential attackers might be able to get the value of this key e.g. by sending you a malware per email. Therefore do not go for this approach if you share your code. 

Registry with encryption

You might also have as an internal IT security policy not to store your password unencrypted anywhere at all.
For this case you could encrypt the password and add the encryption key in another registry key.

A good AHK resource for encryption can be found here 
Still if you share your code, a potential attack is possible.

Of course encrypting and decrypting the password each time you want to access it takes some extra time and might hinder the useability if you need to access it a lot.

Static variable

A third alternative is not to store the password physically anywhere at all but use a static variable.

The drawback of this compared to the registry approach is that each time you exit or rerun your AHK script the password is reset and you will have to re-enter it.
Advantage is that no one can access it by any criminal attack.

Login_GetPassword(){
static sPassword
If !(sPassword = "")
    return sPassword

InputBox, sPassword, Password, Enter Password for Login, Hide, 200, 125
If ErrorLevel
    return
return sPassword
}

As tip, if you want to save entering a lot of time your password, you might want to store it via a static variable in a main AHK file you only run once at startup (do not need to re-run a lot because of for example code updates) and create a hotkey to type it.

I use for example my TextExpander main script for this; this is where I store all my hotkeys.

It looks then like this for the password typing:

!p:: ; <--- Enter Password
sPassword := Login_GetPassword()
Clip_Paste(sPassword)
return

N.B.: the Clip_Paste function does not leave any traces in the clipboard by default and is faster than a SendInput.

Posted by on Last updated on: 2021-05-25T20:08:07Z
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)