SyntaxFix

[python] Securely storing passwords for use in python script

Possible Duplicate:
I need to securely store a username and password in Python, what are my options?

I am looking for a way to securely store passwords which I intend to use in some Python scripting. I will be logging into different things and I don't want to store the passwords as plaintext in the script itself.

Instead I was wondering if there is anything which is able to securely store those passwords and then retrieve them using something like a master password which I could enter to the script at the beginning.

This question is related to python security

The answer is

Know the master key yourself. Don't hard code it.

Use py-bcrypt (bcrypt), powerful hashing technique to generate a password yourself.

Basically you can do this (an idea...)

import bcrypt
from getpass import getpass
master_secret_key = getpass('tell me the master secret key you are going to use')
salt = bcrypt.gensalt()
combo_password = raw_password + salt + master_secret_key
hashed_password = bcrypt.hashpw(combo_password, salt)

save salt and hashed password somewhere so whenever you need to use the password, you are reading the encrypted password, and test against the raw password you are entering again.

This is basically how login should work these days.

the secure way is encrypt your sensitive data by AES and the encryption key is derivation by password-based key derivation function (PBE), the master password used to encrypt/decrypt the encrypt key for AES.

master password -> secure key-> encrypt data by the key

You can use pbkdf2

from PBKDF2 import PBKDF2
from Crypto.Cipher import AES
import os
salt = os.urandom(8)    # 64-bit salt
key = PBKDF2("This passphrase is a secret.", salt).read(32) # 256-bit key
iv = os.urandom(16)     # 128-bit IV
cipher = AES.new(key, AES.MODE_CBC, iv)

make sure to store the salt/iv/passphrase , and decrypt using same salt/iv/passphase

Weblogic used similar approach to protect passwords in config files

I typically have a secrets.py that is stored separately from my other python scripts and is not under version control. Then whenever required, you can do from secrets import <required_pwd_var>. This way you can rely on the operating systems in-built file security system without re-inventing your own.

Using Base64 encoding/decoding is also another way to obfuscate the password though not completely secure

More here - Hiding a password in a python script (insecure obfuscation only)

Source: Stackoverflow.com

Examples related to python

programming a servo thru a barometer Is there a way to view two blocks of code from the same file simultaneously in Sublime Text? python variable NameError Why my regexp for hyphenated words doesn't work? Comparing a variable with a string python not working when redirecting from bash script is it possible to add colors to python output? Get Public URL for File - Google Cloud Storage - App Engine (Python) Real time face detection OpenCV, Python xlrd.biffh.XLRDError: Excel xlsx file; not supported Could not load dynamic library 'cudart64_101.dll' on tensorflow CPU-only installation

Examples related to security

Monitoring the Full Disclosure mailinglist Two Page Login with Spring Security 3.2.x How to prevent a browser from storing passwords JWT authentication for ASP.NET Web API How to use a client certificate to authenticate and authorize in a Web API Disable-web-security in Chrome 48+ When you use 'badidea' or 'thisisunsafe' to bypass a Chrome certificate/HSTS error, does it only apply for the current site? How does Content Security Policy (CSP) work? How to prevent Screen Capture in Android Default SecurityProtocol in .NET 4.5

Tags

Components Euler-angles Chomp Vimeo Fortran90 Erlangweb Xtratreelist Qmake Raytracing Egg Lamson Email Fileapi Ios Structural-search Dealloc Stx Gambit Typeloadexception Terminator Nokiabrowser Jquery-ui Mgtwitterengine Ondrawitem Google-calendar-api Multirow Mmc Cyclicbarrier Emoji Profiling Wikipedia Jwt Apl Error-correction Msbuild-buildengine Lync-2010 Signedxml Mask Ec2-ami Authlogic Bpel Allegrograph Software-distribution Explicit-implementation Maskedinput Unit-testing Winpcap Expression-design Coderay Java-3d Magpie Testtrack Sessionid Rebol Multi-index Vssettings Vala Nsdata Ruby-enterprise-edition Or-operator Clsidfromprogid Messageboard Atomicreference Execcommand Opcodes Authenticity Ora-00900 Html-select Taylor-series Custom-linq-providers Evolutionary-algorithm Eda Tmp Statements Dcc32 Gpolygon Set-theory Optimistic-concurrency Zend-pdf Accountmanager Limit-clause Writeonly Jmstemplate Metasyntactic-variable Bindingflags Gantt-chart Chatbot Exacttarget Reversion Mscomm32 Bounded-types Statusnet Download-manager Xml-literals Struts2 Scrolltop Binders Rollout Fgets Anonymous-class