Password hiding in UNIX

mohanalakshmi · August 7, 2013, 8:50am

Hi guys,

I use STTY command to make the password invisible.

Now I need to write the password into another file pwd.txt, but in an invisible manner, something like ******. Another thing is to when I echo the content of pwd.txt I get the password I actually typed.

Thanks guys. Help me out.

balajesuri · August 7, 2013, 9:20am

May be I'm wrong; your requirement looks ambiguous to me. If you want to write the password to a file in an "invisible manner something like ******", then how good (or secure) is it, if you are able to echo the content of pwd.txt and you get the password that you actually typed?

mohanalakshmi · August 7, 2013, 9:29am

hi thank u,
i am not sure about the second thing which i gave i.e to display,
but i need to write as ***** if i enter the password into file

Scott · August 7, 2013, 9:33am

If you need to write the password to a file as "" just write a literal "" to the file. So long as you know there's no way to read it back as the entered password!

Here's something to display "*" as you type a password:

trap 'stty "$oldstty"; exit' 0

readString () {
  printf "Enter password: "
  oldstty=$(stty -g)
  stty -icanon -echo min 1 time 0
  while :; do
    K=$(dd bs=1 count=1 2>/dev/null) 
    [ ! "$K" ] && break
    S=$S$K
    printf "%c" ${K:+\*}
  done
  stty "$oldstty"
  echo
}

readString
echo "You entered: $S"

A variation on this old post: Camouflage STD IN on output (TRU64) Post: 302494498

rbatte1 · August 8, 2013, 5:04am

To Scott,

I have dreamed of such a function. Wonderful.

To mohanalakshmi,

Are you wanting to somehow encrypt the password and store it in a file? If so, you need to think of how you are going to mix it up and how you are going to reverse it. Maybe we can help with that, but you jhave to consider how you make the method secure. If someone can read the file and gets the string Krfmase7fjh!kwern and can read you code on how to reverse it, then the can manually follow the process. Even if you convert it to unprintable characters, then they could still use od to get the character codes and work from there.

If your decrypting script does something like this:-

Read access encrypted password from file
Decrypt value and feed to another command in plain text

..... then the above is a problem. If your logic follows more that:-

You store the encrypted password
Another process has to check the user password by encrypting and matching the stored value

... then this may be better, however if you code continues by doing something obvious because the password check is confirmed, then if they can read your code, they can just do the same but exclude the password checking. Consider:-

read passwd?"What is the password? "
check_password $passwd
if [ $? = 0 ]      # True returned from check_password function for accepted password
then
   vi /data_dir/payroll_file
else
   echo "You are not authorised!"
fi

There is nothing to stop a user reading this and just running vi /data_dir/payroll_file

What are you actually trying to achieve?

Robin
Liverpool/Blackburn
UK

sathyaonnuix · October 14, 2013, 9:22am

If you are a root and you trying to hide the password from other users, give 400 permission to that flat file.
If you have a DB available, create a table and store the password into it rather having that in a flat file.
Try your own encoding algorithm something like this. convert your passwd into some code, store it and decode with your logic again.

echo '73 61 74 68 79 61' |  perl -nE 'say map(chr, map { hex } split)'
sathya