I have a script which runs the daily/weekly/monhtly miantenance tasks which stores the admin username and password in properties of the script. I’m not concerned about security in my home, but if I was to give this to friends who may use it in a work environment, would the admin username and password be accessible to others in any way and compromise security?
Strings are not safe in a script. For use in a “public” environment, I would store the password in the Keychain (search for “Keychain AND Scripting” in the OS X forum).
if the script was saved as an application then it would be a lot harder than opening the script and reading the password.
Not when the password data is stored in a property of the script it’s not. Even saving as a run-only script/applet isn’t safe, as it’s easy enough to scan the bytecode for human-readable strings and work out which are significant from there. (e.g. There are command line tools included in OS X that will do this for you.) JJ is correct: store all password information in the Keychain.
In addition, even when your script doesn’t hardcode sensitive information within itself, if it runs as an applet or in any other context that preserves the script’s state between runs, you should also be extremely careful not to leave any sensitive information in properties/global variables as those will be stored to disk upon quitting, resulting in another big fat security hole.
yeah sorry i forgot about the command $ strings
the command strings spits all the text straight out.
Since OSX 10.4.2, my keychain queries from Applescript have been broken.
tell application "Keychain Scripting"
tell current keychain
tell (some generic key whose name is "ApplescriptAllow")
set passW to password
would not work anymore.
If it does, let me know