I am writing a Python code and it is requisite to include a password of one of my online account. I want to cover it in some way as keeping its functionality in the code. Is there nay way to masquerade this kind of credential information as keeping its use in the source code?
I would recommend two levels to secure passwords. 1 encrypt, 2, protect the key used for encrypting in key store.
Details- Encrypt the password using aes 256 or similar based on the risk. Key used for encrypting should be in key store and you can hard code the key store password.
You can also choose number of levels based on risk, usually at least two is recommended.
You should tell us what kind of protection you want. Do you want to make everybody able to execute you script without knowing the password? Do you want to be the only able to execute you script but you want to protect the password from people who can read the source? There may be different solution.
However every solution will require you to insert another password to get access to the stored password. So I think that the best solution would be not to save the password in the source at all.
Related
I'm creating a website where users can write about their day in a sort of diary. Right now, if a user decides to write something even remotely personal I can immediately see that just by querying the database for their entry content. I was wondering what the best way would be to encrypt this diary entry I get from the user so it would at least take some more effort from myself to see what people are writing. I am using Flask and SQLAlchemy.
if its a matter of human readability, you could just base64 encode it - therefore obfuscating it, instead of encrypting it. This is included in the python standard library, here's an example:
https://www.base64encoder.io/python/
If it needs to be encrypted, you could assign the user a private key and encrypt the data with its corresponding public key. This may be overkill, unless you do not want anyone else to be able to read it, even with a lot of effort put into it. Obviously you need to keep those private keys secret to anyone except the user, which would be complicated and you would not be able to assist the users if they lose their keys.
I have a script A that needs to perform authentication on my professional email. Right now, I put that data in a python dict() in a script B that is imported into script A at runtime in an unencrypted form. The script B is not under version control.
This is only for a personal project, so I don't need to have very reusable code, but the authentication in question yields access to critical data.
Is importing unencrypted data at runtime as described in this answer secure?
No, not really.
Two notable issues.
First, if the attacker has access to your main source, finding the authentication information is quite straightforward.
Second, should someone stumble across the B file, there's your credentials laid out in plain sight.
Dealing with this is a key management problem, since what you want to do is encrypt the authentication information, but then you need a key, and you're back to square one. It's an intractable problem.
The game is burying the key.
The simplest solution is to simply prompt for the key (or the credentials) at startup, and not store it anywhere save in memory.
Or you can do a simple encryption of the credentials, store the key in a file, and read it in. This will defeat casual snooping (someone just looking at files), but nobody else.
So, it depends on what you feel your threat profile really is.
I understand the difference between Hashing and Encryption. I am looking for a simple way to implement encryption/decryption strings in Python. Most of the ways I found on-line was about using Hashing algorithms ( MD5 - SHA-1 etc... ) in order to do one way hashing. But unfortunately, hashing is irreversible. Any suggestions ?
You might be doing something wrong.
If you don't want to give an attacker access to all passwords stored in the database, you should not reverse the hash to recover the password and compare it with input. You should hash the input and compare that to the hashed password.
But maybe you aren't.
Perhaps you still would like to encrypt something, in such a way that it is possible to decrypt it later. There's a module called PyCrypto that can help you with this, implementing a large quantity of unique and strong algorithms to allow secure transport or storage of sensitive data.
This seems somewhat trival but I have spent a bit of time googling with no results. Anyways I am developing a web app and I need to store 'sensitive' data in a mysql database and then access it to authenticate api calls from python. I am no security expert but I have a basic understanding of hashing and encrypting.
I know how to encrypt the data with aes_decrypt aes_encrypt and I also know how to hash the data using the password() function supplied by mysql.
My first question is should I be encrypting this data or hashing it? My second question is I do not know how to 'access' or 'use' the password information in python once I hash it using the password() function in mysql.
Any help is much appreciated.
Firstly I am no python expert, my answer is only aimed for a general approach.
Passwords in web applications are usually stored as hashes, not encrypted, this basically makes it harder for someone to get them if your table is compromised. Hashes should be generated as solid as possible. Please do not just a MD5, better use something more secure (from todays perspective) and salt it properly to minimize the risk of rainbow attacks.
I wouldn't use the MySQL Password() function for this. The documentation says:
The PASSWORD() function is used by the authentication system in MySQL
Server; you should not use it in your own applications. For that
purpose, consider MD5() or SHA2() instead.
This leaves SHA2(), if you want to hash with MySQL, though don't forget to salt the string before hashing. My way of doing it would be to hash the string with your application (see python hashlib for reference), salt it like this and then just store the hash in the database. This avoids security issues of your data between your application and the database server.
First, my question is not about password hashing, but password encryption. I'm building a desktop application that needs to authentificate the user to a third party service. To speed up the login process, I want to give the user the option to save his credentials. Since I need the password to authentificate him to the service, it can't be hashed.
I thought of using the pyCrypto module and its Blowfish or AES implementation to encrypt the credentials. The problem is where to store the key. I know some applications store the key directly in the source code, but since I am coding an open source application, this doesn't seem like a very efficient solution.
So I was wondering how, on Linux, you would implement user specific or system specific keys to increase password storing security.
If you have a better solution to this problem than using pyCrypto and system/user specific keys, don't hesitate to share it. As I said before, hashing is not a solution and I know password encryption is vulnerable, but I want to give the option to the user. Using Gnome-Keyring is not an option either, since a lot of people (including myself) don't use it.
Encrypting the passwords doesn't really buy you a whole lot more protection than storing in plaintext. Anyone capable of accessing the database probably also has full access to your webserver machines.
However, if the loss of security is acceptable, and you really need this, I'd generate a new keyfile (from a good source of random data) as part of the installation process and use this. Obviously store this key as securely as possible (locked down file permissions etc). Using a single key embedded in the source is not a good idea - there's no reason why seperate installations should have the same keys.
Try using PAM. You can make a module that automatically un-encrypts the key when the user logs in. This is internally how GNOME-Keyring works (if possible). You can even write PAM modules in Python with pam_python.
Password Safe is designed by Bruce Schneier and open source. It's for Windows, but you should be able to see what they are doing and possibly reuse it.
http://www.schneier.com/passsafe.html
http://passwordsafe.sourceforge.net/
Read this: If you type A-E-S into your code, you're doing it wrong.