Possible Duplicate:
I need to securely store a username and password in Python, what are my options?
I am looking for a way to securely store passwords which I intend to use in some Python scripting. I will be logging into different things and I don't want to store the passwords as plaintext in the script itself.
Instead I was wondering if there is anything which is able to securely store those passwords and then retrieve them using something like a master password which I could enter to the script at the beginning.
Yes, that is quite possible. You can deliver your code in . pyc form, but that won't necessarily prevent someone from decompiling and altering it. Unfortunately, Python's just not designed to prevent code alteration.
Note: If you want to mask your password with a string, number or symbol then just pass that value in the mask. For example, if you want to mask your password with hashtag(#) then pass hashtag in mask i.e., mask=”#”, now when the user will enter the password then that password will be hidden with hashtag(#).
Know the master key yourself. Don't hard code it.
Use py-bcrypt
(bcrypt), powerful hashing technique to generate a password yourself.
Basically you can do this (an idea...)
import bcrypt
from getpass import getpass
master_secret_key = getpass('tell me the master secret key you are going to use')
salt = bcrypt.gensalt()
combo_password = raw_password + salt + master_secret_key
hashed_password = bcrypt.hashpw(combo_password, salt)
save salt and hashed password somewhere so whenever you need to use the password, you are reading the encrypted password, and test against the raw password you are entering again.
This is basically how login should work these days.
I typically have a secrets.py
that is stored separately from my other python scripts and is not under version control. Then whenever required, you can do from secrets import <required_pwd_var>
. This way you can rely on the operating systems in-built file security system without re-inventing your own.
Using Base64
encoding/decoding is also another way to obfuscate the password though not completely secure
More here - Hiding a password in a python script (insecure obfuscation only)
the secure way is encrypt your sensitive data by AES and the encryption key is derivation by password-based key derivation function (PBE), the master password used to encrypt/decrypt the encrypt key for AES.
master password -> secure key-> encrypt data by the key
You can use pbkdf2
from PBKDF2 import PBKDF2
from Crypto.Cipher import AES
import os
salt = os.urandom(8) # 64-bit salt
key = PBKDF2("This passphrase is a secret.", salt).read(32) # 256-bit key
iv = os.urandom(16) # 128-bit IV
cipher = AES.new(key, AES.MODE_CBC, iv)
make sure to store the salt/iv/passphrase , and decrypt using same salt/iv/passphase
Weblogic used similar approach to protect passwords in config files
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With