On 1/19/2015 7:48 AM, Paul Koning wrote: >> On Jan 19, 2015, at 7:27 AM, Bob Hood <bho...@comcast.net> wrote: >> >> On 1/19/2015 12:07 AM, Tim Roberts wrote: >>> On Jan 18, 2015, at 12:11 PM, Alp Tunga Özkul <alptungaz...@hotmail.com> >>> wrote: >>>> As far as i know Username + Password =(MD5/SHA) Hash. And it is >>>> irreversible. I need the actual Username and Password to login to Servers >>>> (WMI). >>>> >>>> Because lets say there is 10 different servers with 10 different >>>> credentials that my user use to access those servers, i need to store user >>>> given credentials for the next session. >>> There is simply no general solution. If your program can recover the >>> plaintext password, then anyone with access to the text files can recover >>> the plaintext password. >>> >>> If you don’t want to store the passwords, then your only solution is to ask >>> the user to enter them every time. >> I'm probably missing some crucial point here, but with Python being the host >> environment, why wouldn't the Python "keyring" module provide the hardened >> storage the OP is seeking? Each major OS (Windows, OS X and Linux) has an >> operating system-hosted location for storing sensitive data--such as >> passwords--so they cannot easily be accessed. The "keyring" provides a >> framework for accessing each. >> >> Absolutely no need to store them in plain text files on any OS. > The advantage of text files is that it makes it clear that the storage is NOT > secure. The drawback of other schemes is that they may also be insecure, but > give the user an illusion of security. For example, if your script can > extract the secret, so presumably can any other script or program. If so, > why not use a text file? At least that way it’s clear that the barn door is > wide open.
Agreed. However, most of the time, those who have compromised your system are doing a smash-and-grab where they are just looking for files they can copy. It takes more time and effort to find (or upload) a program that they can execute to extract "hidden" information than to simply discover a file called "passwords.txt" and copy that to their local system. Sony did this--quite literally had a file called "passwords.txt" that quite literally contained user names and passwords. It's understood that storing these things in an operating system-specific "vault" would not be 100% safe, but, in the end, it certainly would have been more of a deterrent than just putting your passwords into a plain text file. _______________________________________________ python-win32 mailing list python-win32@python.org https://mail.python.org/mailman/listinfo/python-win32
