5

I need to use a password to sign in a service I need to do some stuff in Python, but I don't want to store the password in the code.

I did some research and found the base64 encode. This seems good, but it requires the password to be stored in the code anyway.

>>> import base64
>>> encoded = base64.b64encode('data to be encoded') # password stored in the code
>>> encoded
'ZGF0YSB0byBiZSBlbmNvZGVk'
>>> data = base64.b64decode(encoded)
>>> data
'data to be encoded'

For you guys who have already worked with password management in Python, what is the best option? Store the password in a file? Use only the b64encode() string generated and decode it everythime the program needs the password?

undisp
  • 711
  • 3
  • 11
  • 34
  • This might help: http://stackoverflow.com/questions/12042724/securely-storing-passwords-for-use-in-python-script – Gabriel Garrett Jun 11 '15 at 15:52
  • ask the user for a password and store a hash of it in the database .... otherwise you need to store it somehow ... I like to take a base64string that looks like an ascii string and base64 decoded it to a password byte string .... – Joran Beasley Jun 11 '15 at 15:52
  • 1
    __I need to use a password to sign in a service__ can you elaborate more on this part? – Joran Beasley Jun 11 '15 at 15:56
  • 1
    Is this code just for your own use, or will you be distributing it? One option I've used for the latter is allowing the user to create a local file storing credentials (including the password, if they want to), then asking them to input anything they didn't want to store in that file at run-time. My version of that file is then excluded from the repository. – jonrsharpe Jun 11 '15 at 15:58
  • I think he is talking about storing his own credentials to a site(that he does not control) so im guessing random strings from users wont quite work .... – Joran Beasley Jun 11 '15 at 15:59
  • @Joran Beasley: the application will automaticaly sign in with a username and a password and then will use some functions of the service. – undisp Jun 11 '15 at 16:03
  • @jonrsharpe The code won't be distributed. I'm just trying to use a good security practice to store the password and at the same time avoiding that if someone gets access to the code they won't be able to see the password. – undisp Jun 11 '15 at 16:03
  • 1
    There is no good way to this. You can store the password in some encrypted format (e.g. your `base64`), but you also have to include **how to decrypt it** in the source code, so what's the point? I just have to read through your example for `'ZGF0YSB0byBiZSBlbmNvZGVk'` and `data = base64.b64decode(encoded)` and I can trivially recover the plain text. – jonrsharpe Jun 11 '15 at 16:06
  • @jonrsharpe That's why I made this post, to find out if there was a good way to do this. I could simply be following a wrong path. Anyways, I will do some more research to see if I can find something more secure. – undisp Jun 11 '15 at 16:10

2 Answers2

6

I can only assume you are talking about storing your credentials to a site, that the user is unable to register for themselves?

the most correct way to do this is to NOT do it. storing credentials inside the program is in general not very secure and people who want to(and know how) will be able to get those credentials

For a solution that avoids storing your credentials in the code you could create a middleware server that stores individual user credentials that users register for and then you store your site credentials on that server so that users hit an endpoint in your middleware that then does your query against the site using your login credentials and returns the output verbatim. however this is also a fairly difficult solution. however if you are distributing this to untrusted users and you think it is very important to protect the 3rd party credentials this is really the only choice you have.

another option is to allow users to directly register their own username/password with the 3rd party site (you might even be able to automate it) and then prompt the user for their unique credentials and store those in the users home directory or something (encrypt/encode if you want ...)

based on your edits I believe the following may apply to your use case If you are distributing it to a very small trusted group or you find a way to not care too much if people get the credentials out of the program there are many many ways to encode/encrypt/obfuscate your password in the code itself. including base64encoding it, or aes encrypting it, breaking it apart into several places. all of these will block the most common ways people scan code for passwords (but a determined person will definitely be able to recover it)

Community
  • 1
  • 1
Joran Beasley
  • 110,522
  • 12
  • 160
  • 179
3

Don't embed the password (clear or obfuscated) in your program. Instead, allow the user to supply the password in a file. This is the approach taken by programs such as the standard FTP and MySQL clients.

For bonus points, check that the file cannot be read (and preferably not be written or replaced) by a different non-root user. If so, exit with an error message, so that the user must fix it.

Be aware that you will have a valuable password in memory - consider overwriting as soon as possible after use, so it's not present in any core file.

If your platform has a suitable keyring implementation, you might consider using the Python keyring package.

Toby Speight
  • 27,591
  • 48
  • 66
  • 103
  • How would you overwrite the password in memory? – Kebman Oct 31 '20 at 16:07
  • 1
    In Python, it's hard to be sure you don't have copies of the password hanging around in memory. This is one case where C wins, as you can simply `memset()` the storage when the password is no longer needed. – Toby Speight Nov 04 '20 at 16:46