Hiding a password in a python script insecure obfuscation only

Question

I have got a python script which is creating an ODBC connection  The ODBC connection is generated with a connection string  In this connection string I have to include the username and password for this connection     Is there an easy way to obscure this password in the file  just that nobody can read the password when I m editing the file

User · Answer

Your operating system probably provides facilities for encrypting data securely  For instance  on Windows there is DPAPI  data protection API   Why not ask the user for their credentials the first time you run then squirrel them away encrypted for subsequent runs

User · Answer

If you are working on a Unix system  take advantage of the netrc module in the standard Python library  It reads passwords from a separate text file   netrc   which has the format decribed here   Here is a small usage example   import netrc    Define which host in the  netrc file to use HOST    mailcluster loopia se     Read from the  netrc file in your home directory secrets   netrc netrc   username  account  password   secrets authenticators  HOST    print username  password

User · Answer

This is a pretty common problem   Typically the best you can do is to either   A  create some kind of ceasar cipher function to encode decode  just not rot13  or  B  the preferred method is to use an encryption key  within reach of your program  encode decode the password   In which you can use file protection to protect access the key   Along those lines if your app runs as a service daemon  like a webserver  you can put your key into a password protected keystore with the password input as part of the service startup  It ll take an admin to restart your app  but you will have really good pretection for your configuration passwords

User · Answer

A way that I have done this is as follows  At the python shell   gt  gt  gt  from cryptography fernet import Fernet  gt  gt  gt  key   Fernet generate key    gt  gt  gt  print key  b B8XBLJDiroM3N2nCBuUlzPL06AmfV4XkPJ5OKsPZbC4    gt  gt  gt  cipher   Fernet key   gt  gt  gt  password    quot thepassword quot  encode  utf-8    gt  gt  gt  token   cipher encrypt password   gt  gt  gt  print token  b gAAAAABe TUP82q1zMR9SZw1LpawRLHjgNLdUOmW31RApwASzeo4qWSZ52ZBYpSrb1kUeXNFoX0tyhe7kWuudNs2Iy7vUwaY7Q     Then  create a module with the following code  from cryptography fernet import Fernet    you store the key and the token key   b B8XBLJDiroM3N2nCBuUlzPL06AmfV4XkPJ5OKsPZbC4   token   b gAAAAABe TUP82q1zMR9SZw1LpawRLHjgNLdUOmW31RApwASzeo4qWSZ52ZBYpSrb1kUeXNFoX0tyhe7kWuudNs2Iy7vUwaY7Q       create a cipher and decrypt when you need your password cipher   Fernet key   mypassword   cipher decrypt token  decode  utf-8    Once you ve done this  you can either import mypassword directly or you can import the token and cipher to decrypt as needed  Obviously  there are some shortcomings to this approach   If someone has both the token and the key  as they would if they have the script   they can decrypt easily   However it does obfuscate  and if you compile the code  with something like Nuitka  at least your password won t appear as plain text in a hex editor

User · Answer

for python3 obfuscation using base64 is done differently   import base64 base64 b64encode b PasswordStringAsStreamOfBytes     which results in  b UGFzc3dvcmRTdHJpbmdBc1N0cmVhbU9mQnl0ZXM        note the informal string representation  the actual string is in quotes   and decoding back to the original string  base64 b64decode b UGFzc3dvcmRTdHJpbmdBc1N0cmVhbU9mQnl0ZXM    b PasswordStringAsStreamOfBytes    to use this result where string objects are required the bytes object can be translated  repr   base64 b64decode b UGFzc3dvcmRTdHJpbmdBc1N0cmVhbU9mQnl0ZXM    secret   repr decode  utf-8   print secret    for more information on how python3 handles bytes  and strings accordingly  please see the official documentation

User · Answer

How about importing the username and password from a file external to the script  That way even if someone got hold of the script  they wouldn t automatically get the password

User · Answer

Here is a simple method    Create a python module - let s call it peekaboo py    In peekaboo py  include both the password and any code needing that password Create a compiled version - peekaboo pyc - by importing this module  via python commandline  etc      Now  delete peekaboo py    You can now happily import peekaboo relying only on peekaboo pyc  Since peekaboo pyc is byte compiled it is not readable to the casual user    This should be a bit more secure than base64 decoding - although it is vulnerable to a py to pyc decompiler

User · Answer

base64 is the way to go for your simple needs  There is no need to import anything    gt  gt  gt   your string  encode  base64    eW91ciBzdHJpbmc  n   gt  gt  gt    decode  base64    your string

User · Answer

The best solution  assuming the username and password can t be given at runtime by the user  is probably a separate source file containing only variable initialization for the username and password that is imported into your main code  This file would only need editing when the credentials change  Otherwise  if you re only worried about shoulder surfers with average memories  base 64 encoding is probably the easiest solution  ROT13 is just too easy to decode manually  isn t case sensitive and retains too much meaning in it s encrypted state  Encode your password and user id outside the python script  Have he script decode at runtime for use   Giving scripts credentials for automated tasks is always a risky proposal  Your script should have its own credentials and the account it uses should have no access other than exactly what is necessary  At least the password should be long and rather random

User · Answer

This doesn t precisely answer your question  but it s related  I was going to add as  a comment but wasn t allowed  I ve been dealing with this same issue  and we have decided to expose the script to the users using Jenkins  This allows us to store the db credentials in a separate file that is encrypted and secured on a server and not accessible to non-admins   It also allows us a bit of a shortcut to creating a UI  and throttling execution

User · Answer

Here is my snippet for such thing  You basically import or copy the function to your code  getCredentials will create the encrypted file if it does not exist and return a dictionaty  and updateCredential will update   import os  def getCredentials        import base64      splitter   lt PC  DFS -SHQ R      directory  C   PCT       if not os path exists directory           os makedirs directory       try          with open directory    Credentials txt    r   as file              cred   file read               file close       except          print  I could not file the credentials file   nSo I dont keep asking you for your email and password everytime you run me  I will be saving an encrypted file at     n  format directory            lanid   base64 b64encode bytes input     LanID      encoding  utf-8    decode  utf-8             email   base64 b64encode bytes input     eMail      encoding  utf-8    decode  utf-8           password   base64 b64encode bytes input     PassW      encoding  utf-8    decode  utf-8           cred   lanid splitter email splitter password         with open directory    Credentials txt   w    as file              file write cred              file close        return   lanid  base64 b64decode bytes cred split splitter  0   encoding  utf-8    decode  utf-8                 email  base64 b64decode bytes cred split splitter  1   encoding  utf-8    decode  utf-8                 password  base64 b64decode bytes cred split splitter  2   encoding  utf-8    decode  utf-8     def updateCredentials        import base64      splitter   lt PC  DFS -SHQ R      directory  C   PCT       if not os path exists directory           os makedirs directory       print  I will be saving an encrypted file at     n  format directory        lanid   base64 b64encode bytes input     LanID      encoding  utf-8    decode  utf-8         email   base64 b64encode bytes input     eMail      encoding  utf-8    decode  utf-8       password   base64 b64encode bytes input     PassW      encoding  utf-8    decode  utf-8       cred   lanid splitter email splitter password     with open directory    Credentials txt   w    as file          file write cred          file close    cred   getCredentials    updateCredentials

User · Answer

If running on Windows  you could consider using win32crypt library  It allows storage and retrieval of protected data  keys  passwords  by the user that is running the script  thus passwords are never stored in clear text or obfuscated format in your code  I am not sure if there is an equivalent implementation for other platforms  so with the strict use of win32crypt your code is not portable   I believe the module can be obtained here  http   timgolden me uk pywin32-docs win32crypt html

User · Answer

Why not have a simple xor    Advantages    looks like binary data noone can read it without knowing the key  even if it s a single char    I get to the point where I recognize simple b64 strings for common words and rot13 as well  Xor would make it much harder

User · Answer

Douglas F Shearer s is the generally approved solution in Unix when you need to specify a password for a remote login  You add a --password-from-file option to specify the path and read plaintext from a file  The file can then be in the user s own area protected by the operating system  It also allows different users to automatically pick up their own own file   For passwords that the user of the script isn t allowed to know - you can run the script with elavated permission and have the password file owned by that root admin user

User · Answer

Place the configuration information in a encrypted config file  Query this info in your code using an key  Place this key in a separate file per environment  and don t store it with your code

User · Answer

Do you know pit   https   pypi python org pypi pit  py2 only  version 0 3    https   github com yoshiori pit  it will work on py3  current version 0 4    test py  from pit import Pit  config   Pit get  section-name     require          username    DEFAULT STRING        password    DEFAULT STRING           print config    Run     python test py   password    my-password    username    my-name        pit default yml   section-name    password  my-password   username  my-name

User · Answer

There are several ROT13 utilities written in Python on the  Net -- just google for them  ROT13 encode the string offline  copy it into the source  decode at point of transmission But this is really weak protection

User · Answer

import base64 print base64 b64encode  quot password quot  encode  quot utf-8 quot     print base64 b64decode b cGFzc3dvcmQ   decode  quot utf-8 quot

User · Answer

Base64 encoding is in the standard library and will do to stop shoulder surfers    gt  gt  gt  import base64  gt  gt  gt   print base64 b64encode  password  encode  utf-8     cGFzc3dvcmQ   gt  gt  gt  print base64 b64decode  cGFzc3dvcmQ    decode  utf-8    password

User · Answer

You could also consider the possibility of storing the password outside the script  and supplying it at runtime  e g  fred py  import os username    fred  password   os environ get  PASSWORD       print username  password    which can be run like    PASSWORD password123 python fred py fred password123   Extra layers of  security through obscurity  can be achieved by using base64  as suggested above   using less obvious names in the code and further distancing the actual password from the code   If the code is in a repository  it is often useful to store secrets outside it  so one could add this to    bashrc  or to a vault  or a launch script        export SURNAME cGFzc3dvcmQxMjM    and change fred py to  import os import base64 name    fred  surname   base64 b64decode os environ get  SURNAME        decode  utf-8   print name  surname    then re-login and    python fred py fred password123

User · Answer

More homegrown appraoch rather than converting authentication   passwords   username to encrytpted details  FTPLIB is just the example   pass csv  is the csv file name  Save password in CSV like below     user name  user password   With no column heading   Reading the CSV and saving it to a list    Using List elelments as authetntication details   Full code   import os import ftplib import csv  cred detail      os chdir  Folder where the csv file is stored   for row in csv reader open  pass csv   rb                    cred detail append row  ftp   ftplib FTP  server name  cred detail 0  0  cred detail 1  0

[python] Hiding a password in a python script (insecure obfuscation only)

Examples related to python

Examples related to security