[python-win32] Storing Passwords.
R Schumacher
rays at blue-cove.com
Mon Jan 19 17:21:50 CET 2015
At 07:20 AM 1/19/2015, Bob Hood wrote:
>On 1/19/2015 7:48 AM, Paul Koning wrote:
>
> > The advantage of text files is that it makes it clear that the
> storage is NOT secure. The drawback of other schemes is that they
> may also be insecure, but give the user an illusion of
> security. For example, if your script can extract the secret, so
> presumably can any other script or program. If so, why not use a
> text file? At least that way it's clear that the barn door is wide open.
>
>Agreed. However, most of the time, those who have compromised your system are
>doing a smash-and-grab where they are just looking for files they can copy.
>It takes more time and effort to find (or upload) a program that they can
>execute to extract "hidden" information than to simply discover a file called
>"passwords.txt" and copy that to their local system.
If Python (pywin32 say?) can do IO on password data, then presumably
anyone who gains shell access can also, trivially.
Take Active Directory security, for instance; the OP might benefit
from this discussion:
http://stackoverflow.com/questions/7111618/win32-how-to-validate-credentials-against-active-directory
So, if one gains shell access, then a few milliseconds later easily employs
http://docs.activestate.com/activepython/2.5/pywin32/html/com/help/active_directory.html
where even in the supposedly "invalid" methods in the SO link one
could run millions of Exception-tests in seconds, testing the hashed,
"securely stored" passwords.
There is some benefit to using OS objects in that hackers with only
access through http/ftp can't do a grab-and-go. Unless of course they
have access to copy the DB file, then beating on it later, for days,
is possible.
More information about the python-win32
mailing list