How can I protect a password inside a python script.
I already used base64 encoding but anyone that has access to it can decode it.
Any suggestions?
Re: Python Password Security
You should never use a reversible method to store passwords. Store a hash of the password only.
Let the user enter the password , hash the input , and compare to the stored hash.
Use PBKDF2 , bcrypt or Argon2 as hash functions. Password hashing functions can (and should !) be "slow".
Don't use SHA256 or similiar - they are too "fast". Definetely don't use MD5.
If you "need" to store passwords in a reversible form , i would think long and hard if the design of
your system isn't fundamentally broken somehow.
ghans
Let the user enter the password , hash the input , and compare to the stored hash.
Use PBKDF2 , bcrypt or Argon2 as hash functions. Password hashing functions can (and should !) be "slow".
Don't use SHA256 or similiar - they are too "fast". Definetely don't use MD5.
If you "need" to store passwords in a reversible form , i would think long and hard if the design of
your system isn't fundamentally broken somehow.
ghans
Last edited by ghans on Thu Sep 15, 2016 8:58 am, edited 1 time in total.
• Don't like the board ? Missing features ? Change to the prosilver theme ! You can find it in your settings.
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org
Re: Python Password Security
Is this a login password?gproduct wrote:How can I protect a password inside a python script.
I already used base64 encoding but anyone that has access to it can decode it.
Any suggestions?
Consider using ssh with public/private key pairs instead. There are existing Python libraries that implement this solution for you.
Re: Python Password Security
Thanks for the suggestions, the password is used for sending emails. Login password for email
Re: Python Password Security
In that case storing a hash of the password is not a solution.
Still, you should not have the password written into your source code. Or hidden a binary executable.
Get it from the command line when you start the program. Or read it from a file in some place. Preferably with access permissions set so that only you can read it.
Still, you should not have the password written into your source code. Or hidden a binary executable.
Get it from the command line when you start the program. Or read it from a file in some place. Preferably with access permissions set so that only you can read it.
Memory in C++ is a leaky abstraction .
Re: Python Password Security
If I encode the path to the file where the passwords hash is stored and read it with permission is that enough?
Re: Python Password Security
Can you actually work with a password hash , i.e. is your system interactive ?
Is somebody going to enter a password every time ?
Or will the password itself be transmiteed to a third party ?
ghans
Is somebody going to enter a password every time ?
Or will the password itself be transmiteed to a third party ?
ghans
• Don't like the board ? Missing features ? Change to the prosilver theme ! You can find it in your settings.
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org
Re: Python Password Security
The password is used when a python script is executed. So there is no entering just grab the password login to email and send email
Re: Python Password Security
Yeah , put the credentials in a file , chmod 600 it and call it a day.
Everything else is just obsfucation/DRM and the only one you're fooling
with that is yourself.
ghans
Everything else is just obsfucation/DRM and the only one you're fooling
with that is yourself.
ghans
• Don't like the board ? Missing features ? Change to the prosilver theme ! You can find it in your settings.
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org