Posts: 25
Threads: 5
Joined: Jan 2021
Hi,
I suppose like many others i decided to use the "secrets" file to store some information relevant to things like email account set up etc.
But in reality how secure is this method? as from my point of view the data within the file is still basically text isn't it?
Thanks
JohnW
Posts: 8,090
Threads: 154
Joined: Sep 2016
(Nov-07-2023, 10:48 AM)ejwjohn Wrote: I suppose like many others i decided to use the "secrets" file to store some information relevant to things like email account set up etc. What exactly does this suppose to mean?
Posts: 25
Threads: 5
Joined: Jan 2021
hi,
Users often recommend not including personal details directly within a Python script, for example, when you want to sign onto your email account from within a script. The recommendation is that you use a file often called secrets for example to store your login info and then use the import function to bring the data into the script..... thought this was common knowledge ?? or have I missed something??
Posts: 8,090
Threads: 154
Joined: Sep 2016
Not storing hardcoded credentials within your code IS (or should be) common knowledge, if not for other reason, then because you don't want to store credentials and push them in the repo. Naming a file "secrets" is really not that common IMHO and more a matter of personal choice.
Your description as
(Nov-07-2023, 10:48 AM)ejwjohn Wrote: the "secrets" file was unclear, although I guessed you mean exactly that.
Posts: 25
Threads: 5
Joined: Jan 2021
OK, Understood, the use of the name "secrets" within this post was an attempt to more easily link the issue with the question.
The question in my opinion is still valid in that if you create a file within your system which contains "secrets" and your system has been hacked then there's a very good chance that your "secrets" are no longer "secret".
If it's the view of forum members not to use such a system then what is the alternative secure system to store "secrets" which can still be used within Python script? because it is my understanding, as a novice, that you cannot include external path names with the import function.
Thanks
JohnW
Posts: 2,022
Threads: 9
Joined: May 2017
(Nov-07-2023, 11:58 AM)ejwjohn Wrote: The question in my opinion is still valid in that if you create a file within your system which contains "secrets" and your system has been hacked then there's a very good chance that your "secrets" are no longer "secret".
If a hacker has access to your System, then you've lost, and it doesn't matter where your credentials are saved.
Storing credentials in a file next to your source code, prevents accidentally uploading code with credentials included. This is why we use extra files for credentials.
You could try following: - Make a small example project and upload it to github
- Then add credentials to your source code and push the change
- Then try anything, to get rid of the credentials in source code and it must not be visible in commits. Good luck.
Posts: 25
Threads: 5
Joined: Jan 2021
Quote:If a hacker has access to your System, then you've lost, and it doesn't matter where your credentials are saved.
Hmmm, I don't think I agree with the complete statement, if you are diligent in organizing how your important info is stored it should not all be in the same place.
i was hoping that somewhere there was a solution that allowed you to store your "secrets" into the secure cloud then use an "import" function that allows you to access the cloud "secrets" to use within the Python script??
But perhaps not....
Posts: 4,500
Threads: 69
Joined: Jan 2018
Nov-08-2023, 07:03 AM
(This post was last modified: Nov-08-2023, 01:49 PM by Gribouillis.)
(Nov-07-2023, 10:17 PM)ejwjohn Wrote: i was hoping that somewhere there was a solution that allowed you to store your "secrets" into the secure cloud then use an "import" function that allows you to access the cloud "secrets" to use within the Python script?? In the end, if the Python script accesses the secret, it means that it can read the information that gives access to the secret, such as a password or some encryption key, unless it asks the user to interactively enter a password (which of course can be compromised by key loggers).
Among the possible setups, the Python program could read a configuration file containing the location of the secret file, whether it be on the user's file system or in a cloud. It is the user's responsibility to manage the configuration file's permissions and the access to their user account. As @ DeaD_EyE says, if a hacker can obtain the same permissions as the Python program, there seems to be no way to prevent it from accessing the secret.
Posts: 25
Threads: 5
Joined: Jan 2021
Posts: 1,344
Threads: 2
Joined: May 2019
Not perfect, but what I would do:
Create your secrets file
Use an encryption library to encrypt the data. Use a reasonable password.
Do not store the password in the script, rather request that from the user each time the script is run, using that to decrypt the data from the secrets file.
|
