I Need to Securely Store a Username and Password in Python, What Are My Options

I need to securely store a username and password in Python, what are my options?

I recommend a strategy similar to ssh-agent. If you can't use ssh-agent directly you could implement something like it, so that your password is only kept in RAM. The cron job could have configured credentials to get the actual password from the agent each time it runs, use it once, and de-reference it immediately using the del statement.

The administrator still has to enter the password to start ssh-agent, at boot-time or whatever, but this is a reasonable compromise that avoids having a plain-text password stored anywhere on disk.

Secure Way to Store Credentials for an API python module

You can use keyring to store your username and password outside your script. A command-line interface allows you to get, set, or delete a stored password. You can store your username as if it were a password to keep it secure.

$ keyring --help
Usage: keyring [get|set|del] SERVICE USERNAME

Options:
  -h, --help            show this help message and exit
  -p KEYRING_PATH, --keyring-path=KEYRING_PATH
                        Path to the keyring backend
  -b KEYRING_BACKEND, --keyring-backend=KEYRING_BACKEND
                        Name of the keyring backend
  --list-backends       List keyring backends and exit
  --disable             Disable keyring and exit

Set the username and password for the service from the command line.

$ keyring set spacetracktools username
Password for 'username' in 'spacetracktools': 
$ keyring set spacetracktools password
Password for 'password' in 'spacetracktools': 

import keyring

# get username and password from keyring
username = keyring.get_password("spacetracktools", "username")
password = keyring.get_password("spacetracktools", "password")

print("My username is:", username)
print("My password is:", password)

I need to securely store a username and password in Python, what are my options?

I recommend a strategy similar to ssh-agent. If you can't use ssh-agent directly you could implement something like it, so that your password is only kept in RAM. The cron job could have configured credentials to get the actual password from the agent each time it runs, use it once, and de-reference it immediately using the del statement.

The administrator still has to enter the password to start ssh-agent, at boot-time or whatever, but this is a reasonable compromise that avoids having a plain-text password stored anywhere on disk.

Using username and password safely in Python code

I know I asked this question a while ago, but I found a better solution to the NTLM/Windows authentication. I used the requests_negotiate_sspi library to avoid any passwords:

from requests_negotiate_sspi import HttpNegotiateAuth
auth = HttpNegotiateAuth()

content = requests.post(call_string, json=parameters, auth=auth)

Hiding a password in a python script (insecure obfuscation only)

Base64 encoding is in the standard library and will do to stop shoulder surfers:

>>> import base64
>>>  print(base64.b64encode("password".encode("utf-8")))
cGFzc3dvcmQ=
>>> print(base64.b64decode("cGFzc3dvcmQ=").decode("utf-8"))
password

How to avoid storing password in Python code

I can only assume you are talking about storing your credentials to a site, that the user is unable to register for themselves?

the most correct way to do this is to NOT do it. storing credentials inside the program is in general not very secure and people who want to(and know how) will be able to get those credentials

For a solution that avoids storing your credentials in the code you could create a middleware server that stores individual user credentials that users register for and then you store your site credentials on that server so that users hit an endpoint in your middleware that then does your query against the site using your login credentials and returns the output verbatim. however this is also a fairly difficult solution. however if you are distributing this to untrusted users and you think it is very important to protect the 3rd party credentials this is really the only choice you have.

another option is to allow users to directly register their own username/password with the 3rd party site (you might even be able to automate it) and then prompt the user for their unique credentials and store those in the users home directory or something (encrypt/encode if you want ...)

based on your edits I believe the following may apply to your use case
If you are distributing it to a very small trusted group or you find a way to not care too much if people get the credentials out of the program there are many many ways to encode/encrypt/obfuscate your password in the code itself. including base64encoding it, or aes encrypting it, breaking it apart into several places. all of these will block the most common ways people scan code for passwords (but a determined person will definitely be able to recover it)

Storing the secrets (passwords) in a separate file

I think storing credentials inside another *py file is your safest bet. Then just import it. Example would look like this

config.py

username = "xy"
password = "abcd"

main.py

import config
login(config.username, config.password)

---

Related Topics