Masking Passwords

Microsoft® Windows® 2000 Scripting Guide

« Previous | Next »   

As a security precaution, administrators are encouraged to log on to computers by using a typical user account, one without administrative privileges. This means that administrators must supply alternate security credentials (in the form of a user name and a password) to run scripts that require administrative privileges. Although this is good advice, it does have at least possible two drawbacks:

• If you hard-code the administrator password within the script itself, the password is visible to anyone who has access to the script.
• If you type the administrator password in response to a prompt (either at the command line or in a VBScript Input box), the password is not masked in any way. This means that the password you type on the screen will be clearly visible to anyone looking at the monitor.

In turn, this creates a dilemma for system administrators. On the one hand, they are discouraged from logging on to a computer by using the administrator account. On the other hand, neither VBScript nor WSH provides a method for masking passwords as they are entered. As a result, typing a password can be considered as big a security hole as logging on as an administrator.

Fortunately, both VBScript and WSH support COM automation. As a result, you can tap the capabilities found in Internet Explorer to provide password masking for your scripts.

Send us your feedback

« Previous | Next »