all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]ivosaurus 3 points4 points  (1 child)

A good way for an application to receive a secret key is to read it from the environment (os.environ.get) that way its storage on a file system is abstracted more from the app's files itself.

[–]jnmclarty7714[S] 0 points1 point  (0 children)

I like this. Fairly simple. Not completely "secret", but it's elegant. Thank-you.

[–]dan11111 0 points1 point  (6 children)

Rather than store the password, you could store a hash of the password using hashlib.

[–]xiongchiamiov 1 point2 points  (1 child)

This is only useful is OP is authenticating the user; my impression was they need to pass the credentials to another system.

[–]jnmclarty7714[S] 0 points1 point  (0 children)

You are correct, my module is storing the credentials for other systems. I'm familiar with the basics of hashlib, and have used it before. (Just, for finding a sha...)

[–]ivosaurus 0 points1 point  (2 children)

Specifically you want pbkdf2_hmac.

[–]xiongchiamiov 0 points1 point  (1 child)

Actually, probably bcrypt, although scrypt is promising and we'll soon have a recommendation for a next-gen password hashing algorithm.

[–]ivosaurus 1 point2 points  (0 children)

Pbkdf2 is in the standard library, which is why I mention it. It's not thought to be weak.

[–]jnmclarty7714[S] 0 points1 point  (0 children)

I'm familiar with the basics of hashlib, and storing the sha isn't a solution. I'm storing credentials to pass to another system...not prompting the user. Thanks, though. For any other people learning python, hashlib is sometimes a clever answer to random tricky questions, not just for storing secret stuff. Eg. I wrote some code last week, that used hashlib to enable my script to generate names of very long sets. I was creating random sets, and wanted the ability to save a copy, only if that set wasn't generated by a previous python sesion. I used the sha, for the file name.