We are soon going to need to change the password for the user that runs our Automise batch processes on a regular basis. Right now, we have the username and password on each of the several Map Network Drive actions (as an example), and so we need to change it in each location when we change the network password for that user.
Is there a way to store a password in a central location or maybe global variable (environment variable maybe?) so that we can just use that variable or location whenever we need to use the password? What is the best practice for doing this in terms of security and efficiency?
This is actually a tricky one - windows doesn’t really provide a secure way to do this, and anywhere you store a sensitive value (ie passwords) - you need a way to access those values (ie another password or private/public key pair).
I would not recommend environment variables as they are visible to everyone and stored in plain text (in the registry and available to every process).
This is an untested idea but should work.
Create an ini file that is stored on a secured network drive (or local if this is only needed on one machine).
Create an automise project that prompts for the password, then encrypts the password and writes it to the ini file. Each time you need to update the password, run this project.
Then in your regular project, read the encrypted value from the ini file, and decrypt it (using the same key as the encrypt action in the above project) and save it in a variable for use by the actions that need it.
Bear in mind that the encrypt string action does not use very secure encryption - intentionally, because of export controls around encryption. We are looking at what we can do to improve this without running afoul of gov rules (Australia, US, EU all have differing regulations).
Also note that it’s possible the password could appear in logs, use the Action Loggin options to suppress logging where necessary. In AT6 we are adding a password variable type which makes it easier for us to determine where we need to suppress logging the values.
HTH, let us know if you hit any issues with above idea.
I will give that a try. I have created a lot of Automise projects, but never one that prompted the user for any information - they have all been batch processes. This will be a new experience
