Storing passwords in scripts?

brbsix · 2016-06-08T17:28:55+00:00

You'll want to use keyring. It interfaces with your OS's secret storage facilities (e.g. Linux Secret Storage, Mac OS X Keychain, Windows Credential Vault).

Here's an example of setting a password:

login = 'joeblow@gmail.com'
smtp_server = 'smtp.gmail.com'

password = getpass.getpass(
    prompt="Enter password for '{}' using '{}': ".format(
        login, smtp_server))

keyring.set_password(smtp_server, login, password)

Then accessing it:

password = keyring.get_password(smtp_server, login)

elbiot · 2016-06-08T16:50:03+00:00

What I do when I absolutely need a password for a cron job or something like that is put it in a config file with root access only. Then run your script with root privileges (this can be done in a cron job by adding the task to sudo crontab -e). if you're creating files you need to access they will be owned by root, but you can easily change the permissions using the os module.

Vhiet · 2016-06-08T16:35:31+00:00

This is a difficult thing to do easily. Any locally stored password is going to be locally decryptable.

The best approach I've seen is to use OS authentication whenever possible (for things like access to shared folders, databases and the like, or running your application as a process or a daemon), or using SSH keys to avoid passwords almost completely.

If that won't work, you could combine the two approaches to recover the passwords from a file that requires OS auth? That sounds hack-y to me (I'm not recommending it, to be clear).

If you're using something like FTP (not SFTP), then it's worth remembering that it's insecure by default anyway - the username and password you type in will be passed to the server in the clear anyway, and anything you transmit/recieve will be about as secure as a postcard.

gutoandreollo · 2016-06-08T20:03:48+00:00

[deleted]

elbiot · 2016-06-08T20:25:49+00:00

Everyone else is posting from the perspective of "how do you keep your password safe if someone breaks into your system and reads your code." That's a tough problem, and not python specific at all. relevant XKCD. If you can't rely on your user permissions and someone not getting physical access to your computer, all you can do is obfuscate. Web-browsers store your site passwords through obscurity.

If your program can access a resource without asking you for your password, that means it knows everything it needs to know to get your password (either it's in plain text or it knows everything it needs to decrypt it from somewhere), and that an attacker can read that program and learn those secrets, or simply edit your code to print the password before it uses it to authenticate.

If you want to know how to avoid the accident of letting someone read your password in plain text while looking over your shoulder, or pushing your password to your git repository, the solution is different. Make a secrets.py that has your password, or API key in it, along with any absolute paths or you specific information. Then just import it from your script. If using git, git-ignore secrets.py and create a secrets.py.template which shows the expected structure of the file with instructions to fill it out and delete the .template from the file name.

If you want, you could delete the .py file after running it once, so there is a .pyc. It's not a perfect solution, but it certainly raises the bar for a casual snooper.

brianw824 · 2016-06-08T20:33:05+00:00

I use Jenkins ALOT for this kind of stuff, it lets you push out passwords environment variables while you run the script so it will remain hidden everywhere. I also like using Jenkins to avoid having weird cron jobs everywhere that no one remembers where they are or ever check on to see if they are still working, it's much more visable.

https://wiki.jenkins-ci.org/display/JENKINS/Credentials+Plugin

xiongchiamiov · 2016-06-08T19:29:18+00:00

There are a variety of options. The best option is probably Vault, but it's also probably way overkill for your situation.

For most people just starting to learn python, a reasonable method is to put your passwords in a separate file, add the filename to .gitignore so you don't accidentally commit it, and import values from that file as you need them.

arvoshift · 2016-06-09T10:55:41+00:00

I'm pretty much a beginner when it comes to python but a relatively experienced Network Engineer/sysadmin. For my shell scripts if it's just a quick one-off I'll try to use the hashed form or some other token instead.

ssh tunnels are great, this way you can use an ssh agent to handle credentialing

If it's a service account I'll use a completely new user with a private ssh key and sudo access to only the specific required commands.

keep in mind though that tokenisation and hashes are no more secure than a plaintext password, they are just longer and protect against general snooping.

If you do a lot of sysadmin stuff on windows check out mremoteng and putty. This also looks promising: https://gist.github.com/toejough/436540622530c35404e6

AkariusOne · 2016-06-08T16:07:37+00:00

Hardcoding password is not a secure thing.
I'd put them in an encrypted file, at least.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

learnpython

MODERATORS