How Can I Mask Passwords Using an InputBox?

Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I mask passwords using an InputBox?

— PG

SpacerHey, Scripting Guy! AnswerScript Center

Hey, PG. If you’re hoping to mask passwords using a function or method built into WSH or VBScript we’re afraid you’ll be disappointed; neither technology supports password masking. That doesn’t mean you can’t do it, it just means we’ll have to look beyond the core scripting technologies.

If you’re running Windows XP or Windows Server 2003, you can use ScriptPW (a COM object found only in those two versions of Windows) to mask passwords from the command line. Here’s a sample script that creates an instance of the ScriptPW.Password object and then uses the StdOut Write method to request that the user enter a password:

Set objPassword = CreateObject("ScriptPW.Password") 
WScript.StdOut.Write "Please enter your password:" 

strPassword = objPassword.GetPassword() 
Wscript.Echo
Wscript.Echo "Your password is: " & strPassword

When you run this script, the message Please enter your password: appears on the screen. At that point, the script will pause and wait for you to type in a password; you simply type the password and press ENTER. This line of code will then grab the password and store it in the variable strPassword:

strPassword = objPassword.GetPassword()

For this simple script, we just echo back the password typed in to prove that the keystrokes really were captured. We do this because with ScriptPW and the GetPassword() method, the keystrokes you type are not displayed onscreen. In other words, the password gets masked.

Of course, that’s great if you’re running Windows XP or Windows Server 2003. But what if you’re running Windows 2000? How can you mask passwords?

Well, some might consider it a bit of a hack, but you can call up a Web page and use the HTML password box to mask passwords. This column isn’t really the place to discuss HTML tagging, so we won’t give you a detailed explanation of how this all works. Instead, we’ll just tell you that you need to do two things.

First, save the following as C:\Scripts\Password.htm (and yes, we want this to be an HTML page):

<SCRIPT LANGUAGE="VBScript">

Sub RunScript
    OKClicked.Value = "OK"
End Sub

Sub CancelScript
    OKClicked.Value = "Cancelled"
End Sub

</SCRIPT>

<BODY>
<font size="2" face="Arial">
Password:&nbsp;&nbsp;&nbsp; </font><font face="Arial">
<input type="password" name="UserPassword" size="40"></font></p>

<input type="hidden" name="OKClicked" size = "20">

<input id=runbutton class="button" type="button" value=" OK " 
name="ok_button" onClick="RunScript">
&nbsp;&nbsp;&nbsp;
<input id=runbutton class="button" type="button" value="Cancel" 
name="cancel_button" onClick="CancelScript">

</BODY>

Next, save this code as a .vbs file (for example, Password.vbs):

On Error Resume Next

Set objExplorer = WScript.CreateObject _
    ("InternetExplorer.Application", "IE_")

objExplorer.Navigate "file:///C:\Scripts\password.htm"   
objExplorer.ToolBar = 0
objExplorer.StatusBar = 0
objExplorer.Width = 400
objExplorer.Height = 350 
objExplorer.Left = 300
objExplorer.Top = 200
objExplorer.Visible = 1             

Do While (objExplorer.Document.Body.All.OKClicked.Value = "")
    Wscript.Sleep 250                 
Loop 

strPassword = objExplorer.Document.Body.All.UserPassword.Value
strButton = objExplorer.Document.Body.All.OKClicked.Value
objExplorer.Quit
Wscript.Sleep 250

If strButton = "Cancelled" Then
    Wscript.Quit
Else
    Wscript.Echo strPassword
End If

So now what do you do? Well, start Password.vbs. When you do this a Web page with a password box will pop up on screen. If you type a password and click OK, the password you typed will be echoed to the screen (again, just to demonstrate that we’re actually grabbing the password you typed.) If you click Cancel, the script will simply end.

If you’re looking for some more practical examples of both ScriptPW and HTML password boxes, you might want to check out the Remote/Multiple computer templates found in the Script Center. Here you’ll find sample scripts that don’t simply echo back passwords you enter; instead, they take those passwords and then use WMI’s ConnectServer method or ADSI’s OpenDSObject method to securely connect to remote computers.