We could ask the user for a key, but of course that needs to be stored somewhere, and that also needs to be encrypted, so back to square one. The problem with encrypting the passwords is that we must use a key, and that key must go in the EXE, so it's always going to be visible no matter what we do.
It simply stops the passwords being clear text. It's exactly the same password encryption that has been there since V1. Hi, yes, the password encryption is not very strong nor has it ever been advertised as being strong. The encryption should be much stronger, the password should be mixed and padded with a significant amount of random data and lastly it should be less obvious where they are stored (having the word password on the same line as the encrypted password just makes to easy to find). I then when to a different system and found that I could also decode all the passwords stored within SyncBack on that system too. I could now decode all the passwords stored within SyncBack. This made me wonder how strong the encryption was and within 10 to 15 minutes I had worked out the encryption method. It was then concerning to find a direction relation in the way they are stored and the number of characters in the password. So I was surprised that within a couple of minutes I had found where they stored.
I have been entering various passwords into SyncBack over the last few weeks which made wonder how they are stored, so to reassure myself I decide to see if I could find where there are stored, hoping that I could not.
0 kommentar(er)
