If you ever need to disguise a password in a VuGen script, you will no doubt have used the lr_decrypt() function. If you have stopped to think for a second or two, you will have realised “encrypting” the password in your script doesn’t make it more secure in any meaningful way. Anyone with access to the script can decode the password with a single line of code:
// As a security measure, LoadRunner password encryption is about as effective as rot13. lr_output_message("The secret password is: %s", lr_decrypt("50de7ec44d2ff7033c2fcb9e5cf7307799d7"))
So, if this feature doesn’t really make anything more secure, why was it included in LoadRunner? This is a classic example of a “pre-sales feature” – during the sales process, you just know that a potential customer is going to have an attack of “due dilligence” and say that everyone knows that passwords should not be stored in plaintext and they couldn’t possibly buy the product because it is so insecure. As a pre-sales engineer, you can say “it’s okay, all the passwords in the script are encrypted”, and the barrier to sale suddently disappears.
Read on if you want to learn more about encoding passwords in LoadRunner…
Read more →