How to avoid storing password in Python code

Question

I need to use a password to sign in a service I need to do some stuff in Python, but I don't want to store the password in the code.

I did some research and found the base64 encode. This seems good, but it requires the password to be stored in the code anyway.

>>> import base64
>>> encoded = base64.b64encode('data to be encoded') # password stored in the code
>>> encoded
'ZGF0YSB0byBiZSBlbmNvZGVk'
>>> data = base64.b64decode(encoded)
>>> data
'data to be encoded'

For you guys who have already worked with password management in Python, what is the best option? Store the password in a file? Use only the b64encode() string generated and decode it everythime the program needs the password?

Answer 1

I can only assume you are talking about storing your credentials to a site, that the user is unable to register for themselves?

the most correct way to do this is to NOT do it. storing credentials inside the program is in general not very secure and people who want to(and know how) will be able to get those credentials

For a solution that avoids storing your credentials in the code you could create a middleware server that stores individual user credentials that users register for and then you store your site credentials on that server so that users hit an endpoint in your middleware that then does your query against the site using your login credentials and returns the output verbatim. however this is also a fairly difficult solution. however if you are distributing this to untrusted users and you think it is very important to protect the 3rd party credentials this is really the only choice you have.

another option is to allow users to directly register their own username/password with the 3rd party site (you might even be able to automate it) and then prompt the user for their unique credentials and store those in the users home directory or something (encrypt/encode if you want ...)

based on your edits I believe the following may apply to your use case If you are distributing it to a very small trusted group or you find a way to not care too much if people get the credentials out of the program there are many many ways to encode/encrypt/obfuscate your password in the code itself. including base64encoding it, or aes encrypting it, breaking it apart into several places. all of these will block the most common ways people scan code for passwords (but a determined person will definitely be able to recover it)