mickyj wrote:Hi, yes, the password encryption is not very strong nor has it ever been advertised as being strong. It's exactly the same password encryption that has been there since V1. It simply stops the passwords being clear text.
True, but I think that it there is a reasonable expectation that it should take more than a few minutes to find and break.
mickyj wrote:The problem with encrypting the passwords is that we must use a key, and that key must go in the EXE, so it's always going to be visible no matter what we do. We could ask the user for a key, but of course that needs to be stored somewhere, and that also needs to be encrypted, so back to square one. This means it makes no difference at all how strong the encryption is because you can get the key to decrypt it.
I appreciate the issue with keys although there are ways around this issue which while not perfect would require significant effort to circumvent. If you want I can send you some suggestions.
This is not a problem that is exclusive to SyncBack and Microsoft provides DPAPI in Windows to address this issue. I have not used this myself but it looks to be fairly simple to use.
mickyj wrote:You can of course secure access to your profile settings files, so if that directory itself is secure (using NTFS security) then nobody but you should have access to those files anyway and so cannot get to the encrypted password to begin with.
True, but this it is generally not a good idea just to rely just on file system security. Unfortunately what tends to happen when something does not work is either security is removed or users are given privileges that they shouldn’t really have instead of actually fixing the issue, I have seen this more times than I care to remember.
Of course if you are unfortunate enough to have your system infected by malware then file system security is probably not going to help a lot. If the purpose of the malware is to collect sensitive information such as passwords then you do not want to make it too easy for it to succeed.
Andrew.