Millisecond Forums

Security of script passwords

https://forums.millisecond.com/Topic18850.aspx

By lakeside - 4/8/2016

I have noticed that passwords can be entered into web scripts for both FTP data writes and for the /encrypt attribute. However, it appears the script can be accessed and downloaded anonymously by anyone familiar with the script name and the URL pattern used by Millisecond. Is this correct? If so, what extra security does the use of passwords provide?
By Dave - 4/8/2016

When hosting scripts and data on millisecond.com, there would only be extra security if you also encrypt the script itself. A person would still be able to download the script anonymously as you describe, but would not be able to read its contents.

Ultimately, though, the script has to be decrypted at some point and be available in plain text in order to run. I.e., a motivated attacker would be able to "participate" in the experiment and dump the decrypted contents on her/his system to obtain any (FTP etc.)  passwords contained in the script.

Encrypting data files can be useful if you want to transmit them somewhere else, but there's no transport-layer encryption available to you (FTP, plain HTTP).
By lakeside - 4/8/2016

Thanks. I am not a security expert but, for the record, it occurs to me the FTP account could be setup with write-only (i.e., no read or execute) permissions which should mitigate the risk of comprised user/password information.