Quantcast

Jump to content


Photo

[Python] How should I store user credentials securely?

python

  • Please log in to reply
10 replies to this topic

#1 riotgrarrl

riotgrarrl
  • 8 posts

Posted 03 June 2018 - 09:59 AM

Hello!  Say I'm writing a script that logs into Neopets and performs x, y, z.  How should I save the input data from the username and password so that it cannot be easily accessed by others?  Or, is this even necessary?

 

Having no knowledge of how security works between networks and systems, I am not even sure what my approach/method should be.  Do I need to encrypt the data?  Is there a library that can do this for me, or is there a way to do this manually?

 

So far, I've been using pickle to store the data for my own purposes, and the .txt file I save it to is not protected at all.  I am uncertain if there are any risks for this information to get stolen, so any help on this topic would be greatly appreciated :help: :)

 

Thanks!



#2 Neoquest

Neoquest
  • 1760 posts


Users Awards

Posted 03 June 2018 - 10:21 AM

Do you need to save the login information to disk? If this is something that you're particularly stressing over, I'd say just have them enter it every time.

If you feel like you need to save it, imo just writing it in plain text to a file is fine. Someone would need physical access to your machine to access the password, in which case it doesn't really matter, since most of your passwords are already accessible through some kind of browser autofill. You could obfuscate the password with a cipher or encrypt it with some kind of key, but then the user would need to supply that every time anyway. It would change things if this was anything more serious than a Neopets password, but the odds that anyone will put in the engineering effort to gain access to people's neopets passwords by compromising their individual machines is...highly unlikely.

 

If you're storing multiple passwords on a server in a database or something, yeah, you should encrypt those.



#3 riotgrarrl

riotgrarrl
  • 8 posts

Posted 03 June 2018 - 11:12 AM

Do you need to save the login information to disk? If this is something that you're particularly stressing over, I'd say just have them enter it every time.

If you feel like you need to save it, imo just writing it in plain text to a file is fine. Someone would need physical access to your machine to access the password, in which case it doesn't really matter, since most of your passwords are already accessible through some kind of browser autofill. You could obfuscate the password with a cipher or encrypt it with some kind of key, but then the user would need to supply that every time anyway. It would change things if this was anything more serious than a Neopets password, but the odds that anyone will put in the engineering effort to gain access to people's neopets passwords by compromising their individual machines is...highly unlikely.

 

If you're storing multiple passwords on a server in a database or something, yeah, you should encrypt those.

 

Thanks for for clearing everything up for me!   :closed: 



#4 Pyro699

Pyro699
  • 1542 posts


Users Awards

Posted 03 June 2018 - 11:57 AM

If i know i am going to have variables like "password" saved in the file, i will usually do something like this:
 
 
In [1]: import base64
 
In [2]: base64.b64encode("<password>")
Out[2]: 'PHBhc3N3b3JkPg=='
 
In [3]: PASSWORD = base64.b64decode('PHBhc3N3b3JkPg==')
 
In [4]: PASSWORD
Out[4]: '<password>'
It is not as secure as the method @Neoquest posted... but it is useful if you do not want to enter the password everytime and do not care about the overall safety of the account.

#5 riotgrarrl

riotgrarrl
  • 8 posts

Posted 04 June 2018 - 06:42 AM

If i know i am going to have variables like "password" saved in the file, i will usually do something like this:
 
 

In [1]: import base64
 
In [2]: base64.b64encode("<password>")
Out[2]: 'PHBhc3N3b3JkPg=='
 
In [3]: PASSWORD = base64.b64decode('PHBhc3N3b3JkPg==')
 
In [4]: PASSWORD
Out[4]: '<password>'
It is not as secure as the method @Neoquest posted... but it is useful if you do not want to enter the password everytime and do not care about the overall safety of the account.

 

 

Thank you, I will try this out!

 

 

Though, hypothetically speaking, what's stopping someone from writing a program that requires a password through user input, so that it can login to a server only to steal the password by having it sent to another server that the programmer has access to?

 

If the user does not have access to the physical code, which seems to be true for most programs, how would they know what the program is actually doing?

 

Thanks for your time :) You'll have to forgive me if some of these questions have really obvious answers.


Edited by riotgrarrl, 04 June 2018 - 09:10 AM.


#6 Pyro699

Pyro699
  • 1542 posts


Users Awards

Posted 04 June 2018 - 09:28 AM

Though, hypothetically speaking, what's stopping someone from writing a program that requires a password through user input, so that it can login to a server only to steal the password by having it sent to another server that the programmer has access to?

Nothing is stopping a programmer from doing that, that is why you should only put in your information to sites you trust. Phishing sites do this mostly.
 
 

If the user does not have access to the physical code, which seems to be true for most programs, how would they know what the program is actually doing?

Short Answer: You don't know.
Long Answer: If you use things like packet sniffers, it would allow you to look at the communication between your computer and remote servers... however knowing what to look for can be quite difficult.

#7 J03

J03
  • 220 posts

Posted 05 June 2018 - 02:46 PM

This is why no one should be trusting a web-based bot. I know there is one available here and I'm not sure how the author managed to get that kind of privilege. He/she is actually saving all usernames, what about passwords? Even if he/she mentions "data is safe", there is no way we can know this for sure.

 

With a standalone program, you can actually use a packet sniffer on it and see where your information is going from beginning to end. No worries there once deemed safe.



#8 Pyro699

Pyro699
  • 1542 posts


Users Awards

Posted 05 June 2018 - 11:06 PM

Great post, very informative and useful. Thank-you for your ever-positive contribution.

#9 Valorous

Valorous
  • 1003 posts


Users Awards

Posted 06 June 2018 - 04:21 AM

Hello!  Say I'm writing a script that logs into Neopets and performs x, y, z.  How should I save the input data from the username and password so that it cannot be easily accessed by others?  Or, is this even necessary?

 

Having no knowledge of how security works between networks and systems, I am not even sure what my approach/method should be.  Do I need to encrypt the data?  Is there a library that can do this for me, or is there a way to do this manually?

 

So far, I've been using pickle to store the data for my own purposes, and the .txt file I save it to is not protected at all.  I am uncertain if there are any risks for this information to get stolen, so any help on this topic would be greatly appreciated :help: :)

 

Thanks!

You need to encrypt this data at the application level using an AES256 key that is encrypted by through a key derivation function using the user's master login. This way you do not have access to their data and only the application once the user has logged in can access this data. No one should trust you to do this properly.

 

Though, hypothetically speaking, what's stopping someone from writing a program that requires a password through user input, so that it can login to a server only to steal the password by having it sent to another server that the programmer has access to?

 

If the user does not have access to the physical code, which seems to be true for most programs, how would they know what the program is actually doing?

 

Thanks for your time :) You'll have to forgive me if some of these questions have really obvious answers.

You can't stop them much like you can't stop someone from releasing a limited time update that sends credentials off then updates again with a clean copy or sends their credentials off in the first place.

 

This is why no one should be trusting a web-based bot. I know there is one available here and I'm not sure how the author managed to get that kind of privilege. He/she is actually saving all usernames, what about passwords? Even if he/she mentions "data is safe", there is no way we can know this for sure.

 

With a standalone program, you can actually use a packet sniffer on it and see where your information is going from beginning to end. No worries there once deemed safe.

No one should trust storage of their information. There are many laws that protect data with gigantic fines for violations in attempts to encourage trust. You still have to trust that the organization is not a criminal organization.

 

With a standalone software you still have no guarantee of safety. Wireshark will not help you against encrypted traffic where certificate pinning is used. It will also not help you if traffic is encrypted at the application level. There your options become static and dynamic analysis. These can allow you to determine the nature of the software and if the developer has malicious intent.

 

Every update the analyst shall repeat this cycle before trusting at which point it is often easier to write your own implementation if you do not trust.



#10 riotgrarrl

riotgrarrl
  • 8 posts

Posted 06 June 2018 - 12:37 PM

@Pyro699, @ J03 , @Valorous,

 

Before this thread, I wasn't aware that the safety of a software program was left to the discretion of the user, but thinking about it now, it makes perfect sense that the user should take full responsibility for any information they give away.  Thanks for your explanations!

 

You need to encrypt this data at the application level using an AES256 key that is encrypted by through a key derivation function using the user's master login. This way you do not have access to their data and only the application once the user has logged in can access this data. No one should trust you to do this properly.

 

That sounds way out of my league right now, but thank you for this information.  I hope I can use this one day :thumbsup:



#11 txtsd

txtsd
  • 33 posts

Posted 24 September 2018 - 11:18 PM

That sounds way out of my league right now, but thank you for this information.  I hope I can use this one day :thumbsup:

 

This may or may not help depending on your level of (non)expertise. Python is dead easy though. I learned by reading through someone else's bot code and modifying it to use my own logic and algorithms.





Also tagged with one or more of these keywords: python

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users