Menu
I use Python and Django to create web applications, which we store in source control. The way Django is normally set up, the passwords are in plain text within the settings.py file.
Storing my password in plain text would open me up to a number of security problems, particularly because this is an open source project and my source code would be version controlled (through git, on Github, for the entire world to see!)
The question is, what would be the best practice for securely writing a settings.py file in a a Django/Python development environment?
455
In Python with the help of maskpass() module and base64() module we can hide the password of users with asterisk(*) during input time and then with the help of base64() module it can be encrypted.
In the common case of using Django's cache session store, the users' password are stored in clear text in whatever cache storage you have configured (typically Memcached or Redis).
getpass() and getuser() in Python (Password without echo) getpass() prompts the user for a password without echoing. The getpass module provides a secure way to handle the password prompts where programs interact with the users via the terminal.
Using bcrypt with DjangoInstall the bcrypt library. This can be done by running python -m pip install django[bcrypt] , which is equivalent to python -m pip install bcrypt (along with any version requirement from Django's setup. cfg ). Keep and/or add any entries in this list if you need Django to upgrade passwords.
Although I wasn't able to come across anything Python-specific on stackoverflow, I did find a website that was helpful, and thought I'd share the solution with the rest of the community.
The solution: environment variables.
Note: Although environment variables are similar in both Linux/Unix/OS X and in the Windows worlds, I haven't tested this code on a Windows machine. Please let me know if it works.
In your bash/sh shell, type:
export MYAPP_DB_USER='myapp' export MYAPP_DB_PASSWORD='testing123' And in your Django settings.py file:
DATABASE_USER = os.environ.get("MYAPP_DB_USER", '') DATABASE_PASSWORD = os.environ.get("MYAPP_DB_PASSWORD", '') In this case, the username and password would default to an empty string if the environment variable didn't exist.
167
Although environment variables are convenient for a lot of configuration, putting passwords in environment variables is not secure. With the alternative being a configuration file outside regular version control, here are some various cons:
Environment variables might accidentally leak (through debugging channels that might get transmitted via plaintext, to end-users, or to unexpected places in the filesystem like ~/.*sh_history).
Configuration files might accidentally get added to version control and end up in repositories accessible to people without deployment privileges.
Read the blog post Environment Variables Considered Harmful for Your Secrets for more arguments: The environment is accessible to the entire process, is inherited to child (and possibly 3rd-party) processes, and there exists no clear assumption among external developers to treat environment variables as confidential.
The simplest configuration file format in Python is simply a Python module.
27
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
