How Can I Mask Passwords Using an InputBox?

How Can I Mask Passwords Using an InputBox?

  • Comments 5
  • Likes
Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I mask passwords using an InputBox?

-- PG

SpacerHey, Scripting Guy! AnswerScript Center

Hey, PG. If you’re hoping to mask passwords using a function or method built into WSH or VBScript we’re afraid you’ll be disappointed; neither technology supports password masking. That doesn’t mean you can’t do it, it just means we’ll have to look beyond the core scripting technologies.

If you’re running Windows XP or Windows Server 2003, you can use ScriptPW (a COM object found only in those two versions of Windows) to mask passwords from the command line. Here’s a sample script that creates an instance of the ScriptPW.Password object and then uses the StdOut Write method to request that the user enter a password:

Set objPassword = CreateObject("ScriptPW.Password") 
WScript.StdOut.Write "Please enter your password:" 

strPassword = objPassword.GetPassword() 
Wscript.Echo
Wscript.Echo "Your password is: " & strPassword

When you run this script, the message Please enter your password: appears on the screen. At that point, the script will pause and wait for you to type in a password; you simply type the password and press ENTER. This line of code will then grab the password and store it in the variable strPassword:

strPassword = objPassword.GetPassword()

For this simple script, we just echo back the password typed in to prove that the keystrokes really were captured. We do this because with ScriptPW and the GetPassword() method, the keystrokes you type are not displayed onscreen. In other words, the password gets masked.

Of course, that’s great if you’re running Windows XP or Windows Server 2003. But what if you’re running Windows 2000? How can you mask passwords?

Well, some might consider it a bit of a hack, but you can call up a Web page and use the HTML password box to mask passwords. This column isn’t really the place to discuss HTML tagging, so we won’t give you a detailed explanation of how this all works. Instead, we’ll just tell you that you need to do two things.

First, save the following as C:\Scripts\Password.htm (and yes, we want this to be an HTML page):

<SCRIPT LANGUAGE="VBScript">

Sub RunScript
    OKClicked.Value = "OK"
End Sub

Sub CancelScript
    OKClicked.Value = "Cancelled"
End Sub

</SCRIPT>

<BODY>
<font size="2" face="Arial">
Password:&nbsp;&nbsp;&nbsp; </font><font face="Arial">
<input type="password" name="UserPassword" size="40"></font></p>

<input type="hidden" name="OKClicked" size = "20">

<input id=runbutton class="button" type="button" value=" OK " 
name="ok_button" onClick="RunScript">
&nbsp;&nbsp;&nbsp;
<input id=runbutton class="button" type="button" value="Cancel" 
name="cancel_button" onClick="CancelScript">

</BODY>

Next, save this code as a .vbs file (for example, Password.vbs):

On Error Resume Next

Set objExplorer = WScript.CreateObject _
    ("InternetExplorer.Application", "IE_")

objExplorer.Navigate "file:///C:\Scripts\password.htm"   
objExplorer.ToolBar = 0
objExplorer.StatusBar = 0
objExplorer.Width = 400
objExplorer.Height = 350 
objExplorer.Left = 300
objExplorer.Top = 200
objExplorer.Visible = 1             

Do While (objExplorer.Document.Body.All.OKClicked.Value = "")
    Wscript.Sleep 250                 
Loop 

strPassword = objExplorer.Document.Body.All.UserPassword.Value
strButton = objExplorer.Document.Body.All.OKClicked.Value
objExplorer.Quit
Wscript.Sleep 250

If strButton = "Cancelled" Then
    Wscript.Quit
Else
    Wscript.Echo strPassword
End If

So now what do you do? Well, start Password.vbs. When you do this a Web page with a password box will pop up on screen. If you type a password and click OK, the password you typed will be echoed to the screen (again, just to demonstrate that we’re actually grabbing the password you typed.) If you click Cancel, the script will simply end.

If you’re looking for some more practical examples of both ScriptPW and HTML password boxes, you might want to check out the Remote/Multiple computer templates found in the Script Center. Here you’ll find sample scripts that don’t simply echo back passwords you enter; instead, they take those passwords and then use WMI’s ConnectServer method or ADSI’s OpenDSObject method to securely connect to remote computers.


Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • You can put below code in any .vbs file to enable password promt:

    AskPassword

    Sub AskPassword()

    Dim htmPwdCode, objCodeFile, objFileSysObj, objBrowser

    Const FOR_WRITING = 2

    Set objFileSysObj = CreateObject("Scripting.FileSystemObject")

    htmlPwdCode = "<SCRIPT LANGUAGE=" & Chr(34) & "VBScript" & Chr(34) & ">" & Chr(13) & _

    "Sub RunScript" & Chr(13) & _

    "    OKClicked.Value = " & Chr(34) & "OK"& Chr(34) & Chr(13) & _

    "End Sub" & Chr(13) & _

    "Sub CancelScript" & Chr(13) & _

    "    OKClicked.Value = " & Chr(34) & "Cancelled" & Chr(34) & Chr(13) & _

    "End Sub" & Chr(13) & _

    "</SCRIPT>" & Chr(13) & _

    "<BODY><center><font size=" & Chr(34) & "2" & Chr(34) & " face=" & Chr(34) & "Arial" & Chr(34) & ">" & Chr(13) & _

    "User name:   " & Chr(13) & _

    "<input type=" & Chr(34) & "text" & Chr(34) & " name=" & Chr(34) & "UserName" & Chr(34) & " size=" & Chr(34) & "30" & Chr(34) & "><br>" & Chr(13) & _

    "Password :    </font><font face=" & Chr(34) & "Arial" & Chr(34) & ">" & Chr(13) & _

    "<input type=" & Chr(34) & "password" & Chr(34) & " name=" & Chr(34) & "UserPassword" & Chr(34) & _

    " size=" & Chr(34) & "30" & Chr(34) & "></font></p>" & Chr(13) & _

    "<input type=" & Chr(34) & "hidden" & Chr(34) & " name=" & Chr(34) & "OKClicked" & Chr(34) & " size = " & Chr(34) & "20" & Chr(34) & ">" & Chr(13) & _

    "<input id=" & Chr(34) & "btnOK" & Chr(34) & " class=" & Chr(34) & "button" & Chr(34) & _

    " type=" & Chr(34) & "button" & Chr(34) & " value=" & Chr(34) & " OK " & Chr(34) & _

    " name=" & Chr(34) & "ok_button" & Chr(34) & " onClick=" & Chr(34) & "RunScript" & Chr(34) & ">" & Chr(13) & _

    "<input id=" & Chr(34) & "btnCancel" & Chr(34) & " class=" & Chr(34) & "button" & Chr(34) & _

    " type=" & Chr(34) & "button" & Chr(34) & " value=" & Chr(34) & "Cancel" & Chr(34) & _

    " name=" & Chr(34) & "cancel_button" & Chr(34) & " onClick=" & Chr(34) & "CancelScript" & Chr(34) & "></center></BODY>"

    If Not objFileSysObj.FileExists("AskPassword.html") Then

    objFileSysObj.CreateTextFile("AskPassword.html")

    Set objCodeFile = objFileSysObj.OpenTextFile("AskPassword.html", FOR_WRITING)

    objCodeFile.Write htmlPwdCode

    objCodeFile.Close

    Set objCodeFile = Nothing

    Else

    'do nothing if AskPassword.html file already exists

    End If

    Set objBrowser = CreateObject("InternetExplorer.Application")

    With objBrowser

    .Height = 170

    .Width = 400

    .Top = 200

    .Left = 300

    .StatusBar = True

    .Toolbar = False

    .Resizable = False

    .Navigate CreateObject("Scripting.FileSystemObject").GetParentFolderName(Wscript.ScriptFullName) & "\AskPassword.html"

    .Visible = True

    End With

    Do Until objBrowser.ReadyState = 4

    'wait till page loads

    Loop

    CreateObject("WScript.Shell").AppActivate objBrowser.Document.Title

    Do While objBrowser.Document.Body.All.OKClicked.Value = ""

       Wscript.Sleep 50                

    Loop

    strUserID = objBrowser.Document.Body.All.UserName.Value

    strPassword = objBrowser.Document.Body.All.UserPassword.Value

    strButton = objBrowser.Document.Body.All.OKClicked.Value

    objBrowser.Quit

    If strButton = "Cancelled" Then

    MsgBox "Operation cancelled, script will now exit!"

    Wscript.Quit

    Else

    MsgBox "You are welcome " & strUserID & " with password " & strPassword

    End If

    Set objBrowser = Nothing

    Set objFileSysObj = Nothing

    End Sub

    '=======================[ GOT Password ]========================================

  • On modern versions of IE, the second method produces big ugly warning messages about not allowing active content.  Is there another way around this?

  • @Jared

    In addition to the second method causing warning messages, the first method does not work with any operating system after Windows XP. In Windows PowerShell there are two ways to do this: use the Get-Credential cmdlet, or use the Read-Host cmdlet with the -assecurestring parameter. Both of these methodologies work great. Unfortunately, there are no new ways of doing things in VBScript.

  • verry good, but one problem how do you say if password is not password

  • I am trying the second method on WINDOWS7, but it freezes on the html input page and does not do anything after it. What am I doing wrong? I do not care for the warning message as long as it works.