Hey, Scripting Guy! How can I mask passwords using an InputBox?
Hey, PG. If you’re hoping to mask passwords using a function or method built into WSH or VBScript we’re afraid you’ll be disappointed; neither technology supports password masking. That doesn’t mean you can’t do it, it just means we’ll have to look beyond the core scripting technologies.
If you’re running Windows XP or Windows Server 2003, you can use ScriptPW (a COM object found only in those two versions of Windows) to mask passwords from the command line. Here’s a sample script that creates an instance of the ScriptPW.Password object and then uses the StdOut Write method to request that the user enter a password:
Set objPassword = CreateObject("ScriptPW.Password") WScript.StdOut.Write "Please enter your password:" strPassword = objPassword.GetPassword() Wscript.Echo Wscript.Echo "Your password is: " & strPassword
When you run this script, the message Please enter your password: appears on the screen. At that point, the script will pause and wait for you to type in a password; you simply type the password and press ENTER. This line of code will then grab the password and store it in the variable strPassword:
strPassword = objPassword.GetPassword()
For this simple script, we just echo back the password typed in to prove that the keystrokes really were captured. We do this because with ScriptPW and the GetPassword() method, the keystrokes you type are not displayed onscreen. In other words, the password gets masked.
Of course, that’s great if you’re running Windows XP or Windows Server 2003. But what if you’re running Windows 2000? How can you mask passwords?
Well, some might consider it a bit of a hack, but you can call up a Web page and use the HTML password box to mask passwords. This column isn’t really the place to discuss HTML tagging, so we won’t give you a detailed explanation of how this all works. Instead, we’ll just tell you that you need to do two things.
First, save the following as C:\Scripts\Password.htm (and yes, we want this to be an HTML page):
<SCRIPT LANGUAGE="VBScript"> Sub RunScript OKClicked.Value = "OK" End Sub Sub CancelScript OKClicked.Value = "Cancelled" End Sub </SCRIPT> <BODY> <font size="2" face="Arial"> Password: </font><font face="Arial"> <input type="password" name="UserPassword" size="40"></font></p> <input type="hidden" name="OKClicked" size = "20"> <input id=runbutton class="button" type="button" value=" OK " name="ok_button" onClick="RunScript"> <input id=runbutton class="button" type="button" value="Cancel" name="cancel_button" onClick="CancelScript"> </BODY>
Next, save this code as a .vbs file (for example, Password.vbs):
On Error Resume Next Set objExplorer = WScript.CreateObject _ ("InternetExplorer.Application", "IE_") objExplorer.Navigate "file:///C:\Scripts\password.htm" objExplorer.ToolBar = 0 objExplorer.StatusBar = 0 objExplorer.Width = 400 objExplorer.Height = 350 objExplorer.Left = 300 objExplorer.Top = 200 objExplorer.Visible = 1 Do While (objExplorer.Document.Body.All.OKClicked.Value = "") Wscript.Sleep 250 Loop strPassword = objExplorer.Document.Body.All.UserPassword.Value strButton = objExplorer.Document.Body.All.OKClicked.Value objExplorer.Quit Wscript.Sleep 250 If strButton = "Cancelled" Then Wscript.Quit Else Wscript.Echo strPassword End If
So now what do you do? Well, start Password.vbs. When you do this a Web page with a password box will pop up on screen. If you type a password and click OK, the password you typed will be echoed to the screen (again, just to demonstrate that we’re actually grabbing the password you typed.) If you click Cancel, the script will simply end.
If you’re looking for some more practical examples of both ScriptPW and HTML password boxes, you might want to check out the Remote/Multiple computer templates found in the Script Center. Here you’ll find sample scripts that don’t simply echo back passwords you enter; instead, they take those passwords and then use WMI’s ConnectServer method or ADSI’s OpenDSObject method to securely connect to remote computers.