Page 1 of 1
Python Password Security
Posted: Thu Sep 15, 2016 7:25 am
by gproduct
How can I protect a password inside a python script.
I already used base64 encoding but anyone that has access to it can decode it.
Any suggestions?
Re: Python Password Security
Posted: Thu Sep 15, 2016 8:48 am
by ghans
You should never use a reversible method to store passwords. Store a hash of the password only.
Let the user enter the password , hash the input , and compare to the stored hash.
Use PBKDF2 , bcrypt or Argon2 as hash functions. Password hashing functions can (and should !) be "slow".
Don't use SHA256 or similiar - they are too "fast". Definetely don't use MD5.
If you "need" to store passwords in a reversible form , i would think long and hard if the design of
your system isn't fundamentally broken somehow.
ghans
Re: Python Password Security
Posted: Thu Sep 15, 2016 8:57 am
by B.Goode
gproduct wrote:How can I protect a password inside a python script.
I already used base64 encoding but anyone that has access to it can decode it.
Any suggestions?
Is this a login password?
Consider using ssh with public/private key pairs instead. There are existing Python libraries that implement this solution for you.
Re: Python Password Security
Posted: Thu Sep 15, 2016 9:09 am
by gproduct
Thanks for the suggestions, the password is used for sending emails. Login password for email
Re: Python Password Security
Posted: Thu Sep 15, 2016 9:18 am
by Heater
In that case storing a hash of the password is not a solution.
Still, you should not have the password written into your source code. Or hidden a binary executable.
Get it from the command line when you start the program. Or read it from a file in some place. Preferably with access permissions set so that only you can read it.
Re: Python Password Security
Posted: Thu Sep 15, 2016 9:36 am
by gproduct
If I encode the path to the file where the passwords hash is stored and read it with permission is that enough?
Re: Python Password Security
Posted: Thu Sep 15, 2016 10:16 am
by ghans
Can you actually work with a password hash , i.e. is your system interactive ?
Is somebody going to enter a password every time ?
Or will the password itself be transmiteed to a third party ?
ghans
Re: Python Password Security
Posted: Thu Sep 15, 2016 1:43 pm
by gproduct
The password is used when a python script is executed. So there is no entering just grab the password login to email and send email
Re: Python Password Security
Posted: Thu Sep 15, 2016 1:49 pm
by ghans
Yeah , put the credentials in a file , chmod 600 it and call it a day.
Everything else is just obsfucation/DRM and the only one you're fooling
with that is yourself.
ghans