Hiding username and password on sql

tantony · Oct-20-2022, 07:04 PM

In my Python code, I have my username and password entered as plain text. But this is not the best practice since now anyone that see my code also knows the database root username and password. How can I 'hide' the password here? I watched a YouTube video, but is this the best way?

mydb = mysql.connector.connect(
  host="localhost",
  user="root",
  password="mydbpw",
  database="users"
)

Python Quick Tip: Hiding Passwords and Secret Keys in Environment Variables (Windows)

tantony · Oct-20-2022, 07:22 PM

What I did is this, not sure if this is the best solution.
I created another python file called sql_creds.py, then I copy and pasted username and password there.
Then on my main.py, I imported sql_creds.py as creds. Then I used creds.username, and creds.password.

But this doesn't the solve the problem either because now someone can open sql_creds.py to get the login. I can probably hide that file, but that's not a solution either.

How do you hide API, passwords etc on your code?

**deanhystad** · Oct-20-2022, 07:34 PM

Command line arguments or use input() to enter credentials?

tantony · Oct-20-2022, 07:39 PM

Yes, I thought about input() and entering credentials, but in this example, I don't want to do that. Because my eventual plan is to run this as a service or startup task. So I don't want it to wait for me enter credentials, or fail.

**deanhystad** · Oct-20-2022, 07:45 PM

There is no decryption scheme where you don't have to provide anything. Set the file privilege so you can only write or execute? If nobody can read the file you don't have to worry about hiding the password.

tantony · Oct-20-2022, 07:54 PM

ok thanks. I was just wondering how this is done. It sounds like there's no preferred method.

rob101 · Oct-20-2022, 08:31 PM

You don't store a password; you store a hash value of the password and check the hash value, to assert if said password is correct, or not.

tantony · Oct-20-2022, 08:38 PM

@rob101

how would I do that? That seems more secure.

rob101 · Oct-20-2022, 08:53 PM

As a simple proof of concept:

from hashlib import sha256

hpw = "66ebb3e1ed156a03801ecf5c40320bd8a3720f07d65612c486fd7b65ac268135"

hashVal = ""
while hashVal != hpw:
    pw = input("Enter your password: ")
    hashVal = sha256(pw.encode('utf-8')).hexdigest()

The only way to exit that loop, is to enter 'your password', but any hash value that only you know how it was generated, can be used in hpw, which is what is stored in whatever way your system has been designed.

tantony · Oct-21-2022, 12:46 PM

thank you

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	AttributeError: '_tkinter.tkapp' object has no attribute 'username'	Konstantin23	4	1,809	Aug-04-2023, 12:41 PM Last Post: Konstantin23
	Pulling username from Tuple	pajd	21	3,505	Oct-07-2022, 01:33 PM Last Post: pajd
	Hiding "undesired" info	Extra	4	1,822	Jan-03-2022, 08:25 PM Last Post: Extra
	Trying to create a conditional with a username	Realen	2	1,850	Jun-20-2020, 12:44 AM Last Post: Realen
	Client OS username	ImPyBoy17	5	2,724	Sep-24-2019, 10:18 AM Last Post: buran
	creating a username and pword program using a #def statement and #dictionary	zcode12	3	3,180	Oct-14-2018, 04:41 AM Last Post: volcano63
	problem with "hiding" object	league55	4	3,238	Jan-16-2018, 11:21 PM Last Post: league55

Hiding username and password on sql

User Panel Messages

Announcements