安全地存储python脚本中使用的密码[duplicate]

时间:2022-08-04 23:06:29

Possible Duplicate:
I need to securely store a username and password in Python, what are my options?

可能重复:我需要在Python中安全地存储用户名和密码,我有什么选择?

I am looking for a way to securely store passwords which I intend to use in some Python scripting. I will be logging into different things and I don't want to store the passwords as plaintext in the script itself.

我正在寻找一种在某些Python脚本中使用的安全存储密码的方法。我将登录不同的东西,我不想把密码作为明文保存在脚本中。

Instead I was wondering if there is anything which is able to securely store those passwords and then retrieve them using something like a master password which I could enter to the script at the beginning.

相反,我想知道是否有什么东西能够安全地存储这些密码,然后使用像主密码这样的东西来检索它们,我一开始就可以输入到脚本中。

3 个解决方案

#1


36  

Know the master key yourself. Don't hard code it.

你自己知道主键。不要硬编码。

Use py-bcrypt (bcrypt), powerful hashing technique to generate a password yourself.

使用py-bcrypt (bcrypt),强大的散列技术自己生成密码。

Basically you can do this (an idea...)

基本上你可以这么做(一个想法…)

import bcrypt
from getpass import getpass
master_secret_key = getpass('tell me the master secret key you are going to use')
salt = bcrypt.gensalt()
combo_password = raw_password + salt + master_secret_key
hashed_password = bcrypt.hashpw(combo_password, salt)

save salt and hashed password somewhere so whenever you need to use the password, you are reading the encrypted password, and test against the raw password you are entering again.

在某处保存salt和散列密码,以便当您需要使用密码时,您正在读取加密的密码,并针对再次输入的原始密码进行测试。

This is basically how login should work these days.

这就是现在登录的基本方式。

#2


11  

I typically have a secrets.py that is stored separately from my other python scripts and is not under version control. Then whenever required, you can do from secrets import <required_pwd_var>. This way you can rely on the operating systems in-built file security system without re-inventing your own.

我通常有一个秘密。与其他python脚本分开存储的py,不受版本控制。然后,无论何时需要,您都可以从secret导入 进行操作。通过这种方式,您可以依赖于内建文件安全系统中的操作系统,而无需重新创建自己的系统。

Using Base64 encoding/decoding is also another way to obfuscate the password though not completely secure

使用Base64编码/解码也是模糊密码的另一种方法,尽管并不完全安全

More here - Hiding a password in a python script (insecure obfuscation only)

更多信息,在python脚本中隐藏密码(仅用于不安全混淆)

#3


3  

the secure way is encrypt your sensitive data by AES and the encryption key is derivation by password-based key derivation function (PBE), the master password used to encrypt/decrypt the encrypt key for AES.

安全的方法是通过AES加密敏感数据,加密密钥是通过基于密码的密钥派生函数(PBE)进行派生,主密码用于对AES的加密密钥进行加密/解密。

master password -> secure key-> encrypt data by the key

主密码->安全密钥->通过密钥加密数据

You can use pbkdf2

您可以使用pbkdf2

from PBKDF2 import PBKDF2
from Crypto.Cipher import AES
import os
salt = os.urandom(8)    # 64-bit salt
key = PBKDF2("This passphrase is a secret.", salt).read(32) # 256-bit key
iv = os.urandom(16)     # 128-bit IV
cipher = AES.new(key, AES.MODE_CBC, iv)

make sure to store the salt/iv/passphrase , and decrypt using same salt/iv/passphase

一定要储存盐/iv/密码酶,并用同样的盐/iv/密码酶解密

Weblogic used similar approach to protect passwords in config files

Weblogic也使用类似的方法来保护配置文件中的密码

#1


36  

Know the master key yourself. Don't hard code it.

你自己知道主键。不要硬编码。

Use py-bcrypt (bcrypt), powerful hashing technique to generate a password yourself.

使用py-bcrypt (bcrypt),强大的散列技术自己生成密码。

Basically you can do this (an idea...)

基本上你可以这么做(一个想法…)

import bcrypt
from getpass import getpass
master_secret_key = getpass('tell me the master secret key you are going to use')
salt = bcrypt.gensalt()
combo_password = raw_password + salt + master_secret_key
hashed_password = bcrypt.hashpw(combo_password, salt)

save salt and hashed password somewhere so whenever you need to use the password, you are reading the encrypted password, and test against the raw password you are entering again.

在某处保存salt和散列密码,以便当您需要使用密码时,您正在读取加密的密码,并针对再次输入的原始密码进行测试。

This is basically how login should work these days.

这就是现在登录的基本方式。

#2


11  

I typically have a secrets.py that is stored separately from my other python scripts and is not under version control. Then whenever required, you can do from secrets import <required_pwd_var>. This way you can rely on the operating systems in-built file security system without re-inventing your own.

我通常有一个秘密。与其他python脚本分开存储的py,不受版本控制。然后,无论何时需要,您都可以从secret导入 进行操作。通过这种方式,您可以依赖于内建文件安全系统中的操作系统,而无需重新创建自己的系统。

Using Base64 encoding/decoding is also another way to obfuscate the password though not completely secure

使用Base64编码/解码也是模糊密码的另一种方法,尽管并不完全安全

More here - Hiding a password in a python script (insecure obfuscation only)

更多信息,在python脚本中隐藏密码(仅用于不安全混淆)

#3


3  

the secure way is encrypt your sensitive data by AES and the encryption key is derivation by password-based key derivation function (PBE), the master password used to encrypt/decrypt the encrypt key for AES.

安全的方法是通过AES加密敏感数据,加密密钥是通过基于密码的密钥派生函数(PBE)进行派生,主密码用于对AES的加密密钥进行加密/解密。

master password -> secure key-> encrypt data by the key

主密码->安全密钥->通过密钥加密数据

You can use pbkdf2

您可以使用pbkdf2

from PBKDF2 import PBKDF2
from Crypto.Cipher import AES
import os
salt = os.urandom(8)    # 64-bit salt
key = PBKDF2("This passphrase is a secret.", salt).read(32) # 256-bit key
iv = os.urandom(16)     # 128-bit IV
cipher = AES.new(key, AES.MODE_CBC, iv)

make sure to store the salt/iv/passphrase , and decrypt using same salt/iv/passphase

一定要储存盐/iv/密码酶,并用同样的盐/iv/密码酶解密

Weblogic used similar approach to protect passwords in config files

Weblogic也使用类似的方法来保护配置文件中的密码