Passwords in APIs

Ian Bicking ianb at colorstudy.com
Tue Dec 10 22:36:08 EST 2002 

On Mon, 2002-12-09 at 17:03, John J Lee wrote:
> I maintain a free Python package for dealing with HTML forms on the
> client side (http://wwwsearch.sourceforge.net/ClientForm).  HTML forms
> are made up of controls -- eg. list boxes, text entry areas,
> checkboxes, etc.  ATM, I just deal with <INPUT TYPE=PASSWORD> controls
> in the same way as everything else:
> 
> control["uname"] = "joe"  # TEXT
> control["pswd"] = "joe"  # PASSWORD
> 
> 
> This leaves a reference to (not a copy of) the password somewhere
> where the user doesn't have access to it.  In theory, this sounds like
> a bad idea.  One could add something to the API that avoids this by
> allowing passing passwords in at form submission time, eg.:
> 
> form.click("submit", passwords=[("pswd", "joe")])
> 
> 
> But I wonder if, in reality, there is any real point, since I don't
> have many specific ideas about how the presence of these references
> might be exploited.  The only thing I can come up with is that it's
> possible someone could add an HTMLForm instance to an object, then end
> up pickling the object to disk, perhaps not realising that the
> password is still in there.  I suppose this may be sufficient reason
> in itself.

Generally I wouldn't worry so much about it... it's hard to make it a
whole lot better.  You could do something like use the pickle hooks to
write only an encoded value to disk -- you probably don't want to
encrypt it, because then you must force the user to use a password to
retrieve it.  If that level of security is necessary, I would expect the
program that was managing the pickling to do its own encryption.  So,
while you can encode it (base64, for instance), that's just to keep
prying eyes from easily getting the password.

I wouldn't worry, though.  I wouldn't expect the password to be
protected if I was using your library.

-- 
Ian Bicking           Colorstudy Web Development
ianb at colorstudy.com   http://www.colorstudy.com
PGP: gpg --keyserver pgp.mit.edu --recv-keys 0x9B9E28B7
4869 N Talman Ave, Chicago, IL 60625 / (773) 275-7241

More information about the Python-list mailing list