0

I've written a simple program that prompts the user for some values and then uses those values as a sort of password later when the user interacts with it again.

How can I store that value permanently NOT using Pickle? A database would be too massive for such few lines of data. A text file may not be that secure against possible intruders.

Is there a way to permanently store a data in a relatively safe manner?

Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
mickkk
  • 1,172
  • 2
  • 17
  • 38
  • possible duplicate of [Secure credential storage in python](http://stackoverflow.com/questions/14636290/secure-credential-storage-in-python) – BartoszKP Jul 13 '14 at 17:29
  • 3
    Start by simply not storing the password itself, instead store the password's hash and a salt. – roippi Jul 13 '14 at 17:31
  • 2
    since hash is mentioned, note that this is not python `__hash__`, but _cryptographic hash_ (i.e. secure hash) – behzad.nouri Jul 13 '14 at 17:38
  • 1
    Have you considered using SQLite https://docs.python.org/2/library/sqlite3.html? Its available by default in most operating systems and python has built-in module for the same. – Girish Jul 13 '14 at 18:06
  • just wondering what you have against pickle ? – Tony Suffolk 66 Jul 14 '14 at 11:41
  • Nothing, I've repeatedly been told that pickle is unsafe and if possible avoid to use it.. I am relatively new to programming so my question might not always be the smartest :) please try to understand. – mickkk Jul 15 '14 at 12:25

1 Answers1

0

There are a few options to consider, the best depends on the scope of your project. is it a pet project used by you and a few others, or some serious stuff publicly accessible?

Text File

From the looks of it, a (text) file is the best option. Use a proper cryptographic hash (SHA256 or better) to hash the passwords and store those in the text file with the username.

On login, check the hashed password from the login-form with the one in the text-file.

Depending on the situation, you might wanna look at bcrypt/scrypt for password hashing. Assure the text file is outside the root-dir of your webpage, and only to be read/modifed/written by the process that needs it.

Tiny Database

Or you can use a database anyway. Sqlite is very low-overhead. Instead of writing to text, you're writing to a database that is still 1 file large.

The code needed to open and update text files is probably as large as a sqlite connection. If you use a framework of some sort, there's a possibly an ORM which features the needs for a Sqlite connection. Ideal if you ever want to upgrade to a larger database.

puredevotion
  • 1,135
  • 1
  • 11
  • 27
  • 1
    In the end I opted for sqlite, it seems a good fit and not as heavy as I thought! Thanks to everyone for your help! – mickkk Jul 15 '14 at 12:26