Encrypt password within source code.

[Tim Chase]

On 05/05/2010 08:12 PM, Vincent Davis wrote:
> I can't think of a way to do this, not sure it is possible but I feel as
> though I might not know what I don't know.
>
> I want to share and example of a python script, to run it needs a google
> username and password. Is there a way for me to encrypt my username and
> password in the source code?

No-ish.  You can encrypt it, but if you encrypt it, you need to 
include the keys or algorithm for decrypting it, and all it takes 
is a pdb.set_trace() before the decrypted uname/pwd get sent to 
Google to get it, and poof all your encryption/decryption has 
been in vain:

   uname = SUPER_ENCRYPTED_USER
   pwd = SUPER_ENCRYPTED_PASSWORD
   u = secret_decrypt(uname)
   p = secret_decrypt(pwd)
   # regardless of how good the stuff above is
   # you're vulnerable right here:
   # print "%r %r" % (u, p)
   do_google_stuff(u, p)

Unless the Google API you're using allows for chain-of-authority 
creation of sub-credentials (so your account creates secondary 
accounts that are then distributed in your code/config files and 
managed via your dev login), two possibilities that come to mind:

1) put in a bogus uname/password and make them get their own 
Google login to put in (which can be done in a config file if 
they're squeamish about editing source code)  This assumes that 
any arbitrary Google login can grant access to what you want 
(sometimes this is a developer key, in which case the user would 
need to get their own dev key).

2) create a web-service on a server somewhere that has your 
credentials, but your distributed code merely hits this web 
service instead of having your actual credentials in the source 
(plain-text or encrypted).  The server would have them (I'd just 
put them in plain-text -- no need to be fancy.  If you can't 
trust your hosting service, don't use them) but you wouldn't 
expose the credentials outside the application.

-tkc