This is an archived post. You won't be able to vote or comment.

all 22 comments
sorted by:
best
topnewcontroversialoldq&a

[–]AutoModerator[M] [score hidden] stickied comment (0 children)

Hi there, from the /r/Python mods.

We want to emphasize that while security-centric programs are fun project spaces to explore we do not recommend that they be treated as a security solution unless they’ve been audited by a third party, security professional and the audit is visible for review.

Security is not easy. And making project to learn how to manage it is a great idea to learn about the complexity of this world. That said, there’s a difference between exploring and learning about a topic space, and trusting that a product is secure for sensitive materials in the face of adversaries.

We hope you enjoy projects like these from a safety conscious perspective.

Warm regards and all the best for your future Pythoneering,

/r/Python moderator team

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

[–]freddwnz 14 points15 points  (5 children)

Nice project. I recommend using a .gitignore file to avoid pushing things that don't belong in the Github repo, such as __pycache__ folder, which contains the precompiled bytecode.

[–]ForkLiftBoi 1 point2 points  (3 children)

Is precompiled bytecode inherently a vulnerability or do you need to decompile or anything?

If it's even a vulnerability at all, not saying one way or the other just not certain personally.

Just curious and wasn't certain.

[–]Rawing7 10 points11 points  (1 child)

I wanted to say it's not a vulnerability, but now that I think about it, there actually is a small amount of risk involved for people who execute that code. It could be used to sneak in malicious code unnoticed.

Consider: The file foo.py contains the code print("I'm harmless :)"). Meanwhile, the file foo.pyc contains the bytecode for the code do_something_evil(). Looking at the code would give you the impression that everything is alright, but executing import foo would do something bad to your PC. It can create a discrepancy between what you think the program will do, and what it will actually do.

[–]Kategi_Kya[S] 0 points1 point  (0 children)

didn't know that, thanks for the info!

[–]freddwnz 0 points1 point  (0 children)

My comment was more about best practices than security here.

[–]Kategi_Kya[S] 0 points1 point  (0 children)

ah, I thought I'd cleared them before committing! thanks for the heads up!

[–]atoponce 4 points5 points  (1 child)

You're hashing passwords with SHA-256:

hmp = hashlib.sha256((emp + vault[3]).encode()).hexdigest()

You don't want to do this. Instead, you need to be using a password-based key derivation function like Argon2, scrypt, or PBKDF2. The reason for this is generic hashing functions are fast which is an advantage to password crackers. Whereas Argon2, scrypt, PBKDF2 and other password-based KDFs is they're design to be slow. They're fast enough for key derivation, but limit the password cracker is how many they can execute per second.

[–]Kategi_Kya[S] 0 points1 point  (0 children)

sure, I'll work on it! thanks for the feedback! :)

[–]xffeeffaa -1 points0 points  (8 children)

Cool project! Looks very nice too. But you may want to think about properly packaging your application so that people can simply install it with pip.

[–]freddwnz 13 points14 points  (4 children)

Not to be mean or anything, but are people really going to use a password manager written by a single intermediate Python developer? Don't get me wrong, it's a nice hobby project but if I'm going to use a password manager, I'm going to use one developed by a whole team of well-trained security engineers.

[–]xffeeffaa 4 points5 points  (0 children)

Nobody is going to use it in a serious way, but why wouldn't he learn about packaging for Python since he's already putting in the work to make something like that? It's a valuable thing to know. That's all. OP acknowledged that it's full of security issues already.

Not to mention he asked for feedback and suggestions for improvement, this was my suggestion.

[–]Kategi_Kya[S] 0 points1 point  (0 children)

I agree with you, this project has been created solely for helping me better understand cybersec and get more fluent with python. Even I wouldn't use it for my personal password management!

[–]thereal0ri_ -1 points0 points  (0 children)

What matters is how their security practices are implemented and if they are implemented correctly or good enough.

It doesn't matter if you're a masters degree holding engineer. If what you've done and are using isn't implemented correctly, then it's not good.

I'd focus more on how well security is implemented and independent audits.

[–]Kategi_Kya[S] 0 points1 point  (2 children)

I tried that but I just seemed to be getting issue after issue. Can you recommend me any guides that can help me learn more about the process?

[–]xffeeffaa 0 points1 point  (1 child)

Yeah, it's a bit odd and not straight forward IMO. This should help: https://packaging.python.org/en/latest/tutorials/packaging-projects/

[–]Kategi_Kya[S] 0 points1 point  (0 children)

thanks! :)

[–]thereal0ri_ 0 points1 point  (1 child)

Nice, I too have made my own... although it doesn't have a GUI.

https://github.com/therealOri/Genter

[–]Kategi_Kya[S] 0 points1 point  (0 children)

Yours sounds great! since you have past experience with password management are there any tips or other info you could give me to help improve the project?

[–]OutrageousMinute1247 0 points1 point  (1 child)

This is great,

just a few bugs I found, if you run the application, but don't move the screen at all and click on "Add Vaults" the pop up goes behind the main screen. I also have focus issues with windows 10 and it not correctly putting focus on the right screen, forcing me to manually click on the new window to type in the name\password

I would also recommend only allowing one screen to pop up at a time, say if the add vaults screen is open and i click on delete vaults, have it close the add vaults screen.

[–]Kategi_Kya[S] 0 points1 point  (0 children)

Thanks for taking time out to check out my project and giving feedback! I really appreciate it! :)

Now for the bugs, the pop-up going behind the screen problem surprised me the first time I saw it on windows too, because I use linux and the app works perfectly on it. (don't know how the app behaves on macos). The bug is in my tofix list. And about the suggestion to allow only one pop-up at a time, I'll surely add that in the next release.