[python-win32] Storing Passwords.

Paul Koning paul_koning at dell.com
Mon Jan 19 15:48:28 CET 2015 

> On Jan 19, 2015, at 7:27 AM, Bob Hood <bhood2 at comcast.net> wrote:
> 
> On 1/19/2015 12:07 AM, Tim Roberts wrote:
>> On Jan 18, 2015, at 12:11 PM, Alp Tunga Özkul <alptungazkul at hotmail.com> wrote:
>>> 
>>> As far as i know Username + Password =(MD5/SHA) Hash. And it is irreversible. I need the actual Username and Password to login to Servers (WMI).
>>> 
>>> Because lets say there is 10 different servers with 10 different credentials that my user use to access those servers, i need to store user given credentials for the next session. 
>> 
>> There is simply no general solution.  If your program can recover the plaintext password, then anyone with access to the text files can recover the plaintext password.
>> 
>> If you don’t want to store the passwords, then your only solution is to ask the user to enter them every time.
> 
> I'm probably missing some crucial point here, but with Python being the host environment, why wouldn't the Python "keyring" module provide the hardened storage the OP is seeking?  Each major OS (Windows, OS X and Linux) has an operating system-hosted location for storing sensitive data--such as passwords--so they cannot easily be accessed.  The "keyring" provides a framework for accessing each.
> 
> Absolutely no need to store them in plain text files on any OS.

The advantage of text files is that it makes it clear that the storage is NOT secure.  The drawback of other schemes is that they may also be insecure, but give the user an illusion of security.  For example, if your script can extract the secret, so presumably can any other script or program.  If so, why not use a text file?  At least that way it’s clear that the barn door is wide open.

Yes, OSs have some way of storing sensitive data.  If security matters, you should look closely at how those things work, and whether they actually deliver the security required for whatever data you’re putting there.  You should also document clearly how things are stored, so that users of your software can independently make that evaluation for themselves.

	paul

More information about the python-win32 mailing list