On 1/19/2015 7:48 AM, Paul Koning wrote:
>> On Jan 19, 2015, at 7:27 AM, Bob Hood <bho...@comcast.net> wrote:
>>
>> On 1/19/2015 12:07 AM, Tim Roberts wrote:
>>> On Jan 18, 2015, at 12:11 PM, Alp Tunga Özkul <alptungaz...@hotmail.com> 
>>> wrote:
>>>> As far as i know Username + Password =(MD5/SHA) Hash. And it is 
>>>> irreversible. I need the actual Username and Password to login to Servers 
>>>> (WMI).
>>>>
>>>> Because lets say there is 10 different servers with 10 different 
>>>> credentials that my user use to access those servers, i need to store user 
>>>> given credentials for the next session. 
>>> There is simply no general solution.  If your program can recover the 
>>> plaintext password, then anyone with access to the text files can recover 
>>> the plaintext password.
>>>
>>> If you don’t want to store the passwords, then your only solution is to ask 
>>> the user to enter them every time.
>> I'm probably missing some crucial point here, but with Python being the host 
>> environment, why wouldn't the Python "keyring" module provide the hardened 
>> storage the OP is seeking?  Each major OS (Windows, OS X and Linux) has an 
>> operating system-hosted location for storing sensitive data--such as 
>> passwords--so they cannot easily be accessed.  The "keyring" provides a 
>> framework for accessing each.
>>
>> Absolutely no need to store them in plain text files on any OS.
> The advantage of text files is that it makes it clear that the storage is NOT 
> secure.  The drawback of other schemes is that they may also be insecure, but 
> give the user an illusion of security.  For example, if your script can 
> extract the secret, so presumably can any other script or program.  If so, 
> why not use a text file?  At least that way it’s clear that the barn door is 
> wide open.

Agreed.  However, most of the time, those who have compromised your system are
doing a smash-and-grab where they are just looking for files they can copy. 
It takes more time and effort to find (or upload) a program that they can
execute to extract "hidden" information than to simply discover a file called
"passwords.txt" and copy that to their local system.

Sony did this--quite literally had a file called "passwords.txt" that quite
literally contained user names and passwords.  It's understood that storing
these things in an operating system-specific "vault" would not be 100% safe,
but, in the end, it certainly would have been more of a deterrent than just
putting your passwords into a plain text file.

_______________________________________________
python-win32 mailing list
python-win32@python.org
https://mail.python.org/mailman/listinfo/python-win32

Reply via email to