0

I have a project to send, where basically I have to send an email using python.

My code is complete so I was about to send it. Because of the fact the module smtplib needs my email log in, I compiled my code so people could no see my email and password, however, even compiled, when we look at the hex code, we can still see my email and password (and some print)

Is there a way to compile so we have no information left after?

Thank you very much for your help and time !

Chronoxx
  • 107
  • 1
  • 8

1 Answers1

1

Generally it is a bad idea to hold sensitive information in the code. There is no uniformly the best way to do it, but common practices to store credentials include:

  • in a separate code file not in your code base (local_settings.py, added to .gitignore)
  • in a separate config file outside of the project (e.g. json or yml)
  • environment variables (read using os.environ)
  • command line parameters
  • request as user input
  • a combination of all above
Marat
  • 15,215
  • 2
  • 39
  • 48
  • Thank you for your reply with many options ! Problem is, I can only send 1 file, and it is a python file.. I just tried putting them in an os.environ variable like you suggested but it still appears in the hex.. – Chronoxx Mar 25 '18 at 20:00
  • There is no way Python will save environment variable in the bytecode, so, just to make sure: hex will not update until you run the edited python file. Did you? Then, why don't you send .py file only, without bytecode? – Marat Mar 25 '18 at 20:03
  • Yes, I modified the code and recompiled it after i changed to os.environ, but I'm still seeing the email, password and other variables in the hex code.. And if I only send the .py file, everyone will have access to my email account, as it need to be send from my email and not another one. – Chronoxx Mar 25 '18 at 20:10
  • that's exactly what I'm talking about - your email address (and password, and smtp server, etc) should not be in the .py file in the first place. Store them somewhere outside of the file, in one of the locations I listed. – Marat Mar 25 '18 at 20:13
  • I wanted to do that at first, but I didn't know how to access them from this file, as I can only send 1 file... – Chronoxx Mar 25 '18 at 20:15
  • ok, finally I understand. No, it is not possible. Even if you obfuscate the file, it is relatively easy to dump program memory and get your password. I would instruct the remote user to use their credentials instead, or perhaps create a temporary account specifically for this purpose – Marat Mar 25 '18 at 20:18
  • Ok, thank you very much for your time, I will create a new email ! – Chronoxx Mar 25 '18 at 20:34