I am writing a desktop application in Python. This application requires the user to input their GMail email and password (however an account must be created specifically for this app, so it's not their personal (read: important) GMail account). I was wondering what would be the best way to store those login credentials. I don't need it to be super secure, but would like something more than storing it as plain text.
Thank you in advance.
Any chance you could not store the information on disk at all? I think that's always the most secure approach, if you can manage it. Can you check the credentials and then discard that information?
You can always encrypt the information if that doesn't work, but the decryption mechanism and key would probably have to reside in your program, then. Still, it might meet your criterion of not super-secure but better than plain text.
Use the OS keyring for this, which is the job of the python-keyring module.
Use the platform's native configuration storage mechanism (registry, GConf, plist).
If you are using Qt for your app, you should really use QSettings and let the framework handle the storage for you. Note: QSettings will NOT encrypt anything for you, but will store values in the most appropriate location depending on the platform it's running on.
Regarding security, you really should use OAuth, like in the example here, and just store the resulting token.
Related
Is there a way to connect to MySQL DB with maybe RSA keys or by providing SHA-256 encrypted login and password in code? Because let's say we want to post our app publicly. Anyone who can decompile the app will see all the code including our login and password to the database.
I was wondering (purely theoretically) because If I wanted to implement some kind of codes system (like those from gift cards or PaySafeCards) to my app so the user could have like a premium membership or different feature and I wanted to store them in my database then someone could just decompile the app, steal the login and password that were in code, access the database, steal the codes and have the membership for free so how would I prevent a situation like that from happening?
You need to use environment variables. Check this website to learn more. You will use the os module and more specifically os.environ which returns a dictionary that contains all current environment variables.
If you want to publish your code on a public platform such as Github you can set private environment variables. Check here
I've heard that MongoDB is very good Database, especially for placing large data inside, However i'm not sure how safe can it really be.
I'm not experienced at MongoDB, but before i choose, i want to know how safe it can be for important data.
So for example, if i specified uri, i would type this:
uri = "mongodb://test1:test1#ds051990.mongolab.com:51990/base1"
I'm trying to make a P2P text chat, It can be accessed on user's PC with root permissions, Whenever user registers, User's Latest IP, Username and will be added to database, as code was shown below.
But the "Hacker" would easily access it by simply getting into code, and viewing all the information, then he would read/write all the data inside.
What would be the best solution to prevent this issue? I think high-level Databases like MongoDB would have some-kind of protection against other users accessing it.
How can make sure only necessary users can access database and other users can't enter it by viewing uri variable?
If not is there ANY other way i can do it? So user can't access Database at all, But i would read and write files from database.
You have no easy way of hiding the credentials. Instead, create a user with the minimal required permissions in the database, and use these credentials in your distributed code.
If you are worried about the users being able to see plain-text IP addresses, you should hash and salt them before inserting them to the database.
I am using an API key in some Python code which I am looking to distribute. This API key is for Google Maps. Are there any security issues with regards to distributing this API key and if so, how is it best to hide this?
It isn't necessary, the Google API key is tied to your domain so the referrer is checked when it is used.
You can read more about how it works here
Relevant part
Note that a key for http://www.mygooglemapssite.com/ will only be accepted when the site is accessed using this address. It will not be accepted if the site is accessed by IP address (eg. http://10.1.2.3/) or by a hostname that is aliased to www.mygooglemapssite.com using a DNS CNAME record.
Their version 3 API doesn't require a key now.
http://code.google.com/apis/maps/documentation/javascript/
You cannot hide this. Your program needs to access it and a hacker will simply use a tool like a debugger, a virtual machine or a modified Python implementation if he/she really wants to know the API key.
I don't think it's necessary to hide a Google Maps API key anyway, as a web page will also have this in its source code when the API is in use. You should refer to the documentation or the page where you obtained the key to see if it's a private key.
if you're providing a tool for "power users" to use google maps, then it's reasonable to expect them to supply their own Google API key. If that's not an option for your users, you will need to have a web-service that your application accesses to act as a deputy so that your private key is not exposed. You will still have to devise a means of authenticating users, if that is applicable.
You could obfuscate the key in various ways, but it's not worth the effort. Obfuscation is a weak way to protect information, and in this case your information's security isn't especially critical anyway.
The point of the API key is largely so that the API vendor (Google, here) can monitor, throttle, and revoke your application's use of their service. It is meant to be private, and you shouldn't share it carelessly or intentionally, but it isn't the end of the world if somebody else gets their hands on it.
The Google Maps API key is only for version 2, which has been officially deprecated since May 2010. Strongly suggest you use Version 3 of the API instead, which is much better, and has no need for an API key.
As title said, I want to use python_ldap to get user's password.
Here is python-ldap reference,
http://www.python-ldap.org/doc/html/index.html
I didn't find any function to get user's password.
Is there anybody do the same thing like me?
And is it possible to get user's password?
No system that is designed to be secure will allow access to clear-text passwords. In fact, the system won't even know the clear-text password.
You might want to re-think exactly what you are trying to do.
No, an ldap server will not send out passwords, plain or encrypted.
You can only write them if you provide the correct credentials.
Usually you query an LDAP directory for a given organizational unit, common name, etc. and find things like passwords as attributes. It means you have to know something about the LDAP schema. There's nothing in your question to indicate that you do.
I've been asked to encrypt various db fields within the db.
Problem is that these fields need be decrypted after being read.
I'm using Django and SQL Server 2005.
Any good ideas?
See: Using Symmetric Encryption in a SQL Server 2005 Database
Yeah. Tell whoever told you to get real. Makes no / little sense. If it is about the stored values - enterprise edition 2008 can store encrypted DB files.
Otherwise, if you really need to (with all disadvantages) just encrypt them and store them as byte fields.
I had the same problem, and created the following solution: http://djangosnippets.org/snippets/2489/
I happened to use M2Crypto as the cipher engine, but that can be swapped out if desired.
As TomTom notes, doing this just raises the bar for an attacker rather than making hostile decryption impossible - in addition to accessing your database, they now also need to access wherever you store the passphrase that feeds into the key derivation function. However, by splitting the key from the data it is protecting in this way, you at least now have the option to further secure that key (e.g. with a key management server) to raise the bar yet higher. Defence in depth is a good strategy, but you also need to decide what constitutues overkill for a given application.
It's also a terrible idea to encrypt any field that might be useful for searching or sorting purposes (I only use this trick to store OAuth credentials for a web service that doesn't support proper tokenised OAuth connections).
If you are storing things like passwords, you can do this:
store users' passwords as their SHA256 hashes
get the user's password
hash it
List item
check it against the stored password
You can create a SHA-256 hash in Python by using the hashlib module.
Hope this helps