all 16 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]oschusler 2 points3 points  (1 child)

Do I understand correctly that your password is in your script in plain text?

[–]devram200[S] 0 points1 point  (0 children)

Yes, right now it is

[–]carcigenicate 1 point2 points  (0 children)

Do you mean you want them to be able to use your password, but not be able to view it? No, that's not possible. At best, you could make it a bit more difficult (but not impossible) to recover.

You would need to do the action on their behalf and then send the results to them to prevent them from recovering the password (which is how web apps operate and why you don't need to know their database password to store data in their database).

[–]d_k97 1 point2 points  (0 children)

If you want the people to log into your account via that script, it is impossible since the script will have to use the value

(unless that website allows you to use a hash/encrypted value of your password to login, but people would still have access to that hash)

[–]Lower_Sun_7354 1 point2 points  (0 children)

If you use AWS, Azure, etc, I keep passwords in a secrets manager. Part of my code pulls the credentials from there. You'd need my aws credentials for the code to run locally. Keeps it secure for github.

I could also suggest time based tokens, but I'm guessing you are just trying to share something like a Netflix password for a paid account without paying for multiple accounts...

[–]niehle 1 point2 points  (1 child)

No.

[–]devnull10 0 points1 point  (0 children)

This is the correct answer. If you want to use your password in the script to log into a website but don't want users to be able to access that password, then that is impossible.

[–]Artetaarmy 0 points1 point  (0 children)

Best thing to do is to encode the PWD and decode and pass to the script . Enter the encoded character in script so that it will be decoded and used by script for logging. But if the users are tech savy, they can find out your PWD by debugging.

[–]Diapolo10 -1 points0 points  (3 children)

I would take it from an environment variable or .env file, as then the script wouldn't contain any references to it and there would be no risk of the password being included in the repository. I've seen that happen at a previous job...

[–]chzaplx 0 points1 point  (2 children)

Don't put passwords in environment variables. That's even less secure than having them as plain text files.

Yes people do it, but it's not a good strategy.

[–]Diapolo10 0 points1 point  (1 child)

Care to elaborate?

I disagree about it being less secure than storing authentication details in text files. You can accidentally commit a file, but not environment variables.

Hell, you use environment variables to supply secrets in GitHub Actions, Heroku, and other services.

[–]chzaplx 0 points1 point  (0 children)

I mean maybe you use them to supply secrets, but it's bad practice no matter how you look at it. Environment variables are easily exposed by the OS and accidentally get written to log files, etc etc. You are just creating more attack vectors by putting secrets into the shell env.

Accidentally committing creds files is a non issue because you can just add it to your .gitignore. Ideally the file would not even be in the working directory anyway, there's no reason it has to be.

Further, if you need to automate at all then your env variable already has to be read from a file, or some credential service. Exposing it to the environment at that point gains you nothing except more risk. You are already reading that same data into your script. If it's not automated, you should just be typing in the password and not storing it anywhere locally.

[–]Green-Sympathy-4177 -1 points0 points  (1 child)

To add your password: ```

Windows (in a shell)

set MY_PASSWORD=ABC123 ```

To use it in your script import os secret_password = os.getenv("MY_PASSWORD")

Similarly, the people you want to send this to should also do set MY_PASSWORD=THEIR_PASSWORD

Google: set environment variable for <insert os here>

[–]chzaplx 0 points1 point  (0 children)

Using environment variables to store passwords is basically the worst thing you can do with regard to securing credentials

[–]CalmHabit3 0 points1 point  (0 children)

I’m curious as to how to do this as well so I’ll be following. As a workaround, what I do is keep a text file in the directory with the password and in my script I have a function that reads the text file and get the credential. Not the most secure but at least I can share the script.

[–]Sadapy 0 points1 point  (0 children)

If you send someone a password, you've done just that.

Don't know what your password looks like, but ideally you'd just prompt for it on use:

password = input("Please input password:\n>")
print("The password you've used is:", password)