Menu
How does python-keyring provide security on Windows?
In GNOME/KDE on Linux, the user is prompted to enter his password to authorize access to the keyring on a per-application basis.
In Windows there is no such prompt when an application accesses the keyring. What is stopping a random python application to retrieve a password from the keyring by running
import keyring
get_password(service, username)
How is user consent implemented? Is the whole concept, atleast in Windows, based on the assumption that all installed programs are 'trusted'?
675
Researching this a bit, it appears that the passwords are stored within a Windows Credential Vault, which is the equivalent of the Gnome or KDE keyrings. You can actually see the ones that you have stored by opening up the Windows Credential Manager.
The Python keyring library provides an easy way to access the system keyring service from python. It can be used in any application that needs safe password storage. These recommended keyring backends are supported: macOS Keychain. Freedesktop Secret Service supports many DE including GNOME (requires secretstorage)
To view your passwords:Select View ▸ By keyring. Unlock the password keyring that contains your password. A list of passwords stored in the keyring will be displayed. Right click on the password you want to check, and select Properties.
If you want to store credentials for user mjw for the service local-database , the best way to do that is to open Windows Credential Manager (Start > Credential Manager), click Add a generic credential, and enter: Internet or network address: :local-database:mjw. Username: mjw. Password: (your password)
Researching this a bit, it appears that the passwords are stored within a Windows Credential Vault, which is the equivalent of the Gnome or KDE keyrings. You can actually see the ones that you have stored by opening up the Windows Credential Manager. I get there by just typing in Credential Manager on Windows 8.1 from the start screen, but I think you can get to it from the User accounts page as well.
Anyway, as you can see from the attached image, the password that I added to the keyring as a test is displayed under Windows Credentials -> Generic Credentials -> keyring_demo. Opening this window up as another user on the PC does not show this password, so it seems secured from other Users. This screen also allows you to revoke or change passwords.
As to how consent is implemented, I believe keyring will operate as long as your Windows user account is logged in, but I don't know the specifics.
78
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
