best way to embed passwords into scripts

[mikey6785]

what is the best way to embed passwords in python scripts?
I am wanting to automate tasks that would typically require credentials.

I've been looking into keyring and this works great when you run the script from Command line in windows.

but in WSL it makes you type in a master pass which stinks for automated scripts (cron/scheduled tasks).

pyKeePass looks pretty cool and it works well. I was thinking about using a keepass database then compile the Python script using Pyinstaller so the master pass would be "hidden".


i would prefer to use keyring and just make it to where I don't have to type in the master pass

[Pedroski55]

Don't know for Python, but PHP has password_hash($password, PASSWORD_DEFAULT) for saving the password of a new user, as yet unregistered user, to a database table.
This creates a 255 character string, I believe. Anyway, the encrypted password is very long and complicated.

//encrypt password using password_hash()
$password = password_hash($password, PASSWORD_DEFAULT);
//insert new user to our database

Then, when a user logs on, you get the user's ordinary password, like: John, and use password_verify() to check it against the encrypted password stored in the database.

// first check the password. If incorrect, bale out
//validate the password with $user[password]
if(!password_verify($password, $user['password'])){
$_SESSION['loginerror'] = '密码不对的 Incorrect password!!';
header('location: index.php');
exit();
}

Python must have a very similar system. Except you are not working with webpages and SQL, which should make things easier.

[rob101]

I was thinking about using a keepass database then compile the Python script using Pyinstaller so the master pass would be "hidden".

Humm... Could that not be reverse engineered?

This may or may not help, but what I would do is to hash the password, then have your python script check the hash, something like this:

from hashlib import sha256
passphrase = input('passphrase: ')
hash_sha256 = sha256(passphrase.encode('utf-8')).hexdigest()
if hash_sha256 != '1e089e3c5323ad80a90767bdd5907297b4138163f027097fd3bdbeab528d2d68':
    print("No. Try again")
else:
    print("You're in!")

To add... I've just seen the above; it looks to be the same idea.

[DeaD_EyE]

what is the best way to embed passwords in python scripts?
I am wanting to automate tasks that would typically require credentials.

Not putting them into Code is the best option. If a user uses it, he requires his own credentials. Those credentials could be saved in a file. If it's possible, use Tokens instead of username/password combination, if the API allows it.

Typical example:

import getpass
import json
from pathlib import Path


CREDS = Path.home().joinpath(".config/credentials.txt")


def get_creds(renew=False):
    if CREDS.exists() and not renew:
        with CREDS.open() as fd:
            return json.load(fd)
    else:
        user = input("Username: ")
        token = getpass.getpass("Token: ")
        # getpass.getpass hides the characterss you enter
        creds = {"user": user, "token": token}

        with CREDS.open("w") as fd:
            json.dump(creds, fd)

        return creds

i would prefer to use keyring and just make it to where I don't have to type in the master pass

In the most use cases, developers are using APIs from third-party providers, which have mostly all a good management of Tokens + Access-Rights.

Exposing a password for everything is a bad idea. If you don't put credentials in your code, you can't accidentally upload it to the public. This happened to many devs. Most of them had luck because the "only" lost their Token. Losing the password which is maybe used at other places is a bad scenario. Never put master-keys and/or Username/Password in your Code. Use files instead.