I'm with Stevie on this one.

There are techniques you may employ when using KiXcrypt (or indeed the KiXscripts editor) to pass things like account information, passwords or even vital script code on the command line as variables rather than in the unpacked/crypted script itself.

However, in any program which is executing on a local machine all data are visible.

It doesn't make much difference whether the code was written as a script, VB, C++ or assembler. Any half-decent cracker will be able to step though compiled code and examine memory and stack information.

Again there are tricks you can use to make this more difficult but the only way to keep a password safe in a file is:
  • Don't allow anyone who can read the file to have access to any tool which can be used to crack it.
  • Don't allow anyone who can read the file to have any mechanism by which they can transporta copy of the file (floppy, email, http post, ftp etc)
  • Don't allow any backup containing the file to leave secured areas
Not surprisingly this is very hard to do, which is why the better solution is to rely on security tokens and hand-shaking. Still not an absolutley secure environment, but damned hard to get anything useful from in time for it to still be of use.
Back in the real world, you normally have two "audiences" for your efforts to secure password.

The first are your users. If you are unlucky enough to have staff who view security as an interesting challenge, you have to pitch your security high enough that it is beyond their competence or persistance. If the prize is not interesting enough it won't be chased.

The second are the people you answer to - in my case this will be internal security auditors. You have to pitch your security high enough that you can convince them that a breach is unlikely. There is usually a cost / benefit balance you need to find.


In summary, security is what you make it.

You don't need the latest, greatest corneal/fingerprint recognition hardware backed up with lethal force counter-measures to protect your data.

You do need to understand what security is available and what the limitations and weaknesses are in your own security. If you think you haven't got any, you've missed something [Wink]