Programming Password Security

When a program is being developed, for me in Python, and the goal is to have a functional account automate some task.

A functional account is an authenticated account that is not used by a human, but a program for a specific purpose. For example, a functional account could be a username and password combo used to login into a Linux machine and issue a command every day.

The issue is, that password has to live some where and the code will lead a hacker to it’s location:

  • locally on a the machine
  • remotely on another

So the questions are:

  • Where do we keep it?
  • What is the best way to keep it secure?

Dilemmas

System Root Compromise

Let’s just start with this one. If this happens, then all bets are off if the hacker is motivated.

If the hacker:

  • has already hacked root/administrator on the system
  • found the code

The hacker will have access to be able to decrypt the file, change permissions, read where the file is located and so on.

Non-Root Account Comprimise

The more likely scenerio would be that a hacker will try to gain access to the file system and then search for passwords via GREP or other means of reading. This could be done by Joe Schmo make their password easy to hack (dictionary attack) or just finding it in a text file on local on their personal machine.

Viable Options

Below are some options that will add some layers for a hacker to peel through to get what they want.

  • Separate file
    • Storing the password in a separate file, but locking it down to a specific user like root or some other account
    • Also setting the file to executable only (Linux)
      • chmod 111 filename
                                
    • Unless you are root, you cannot read this file.
  • .netrc
    • It’s just a plain text file in your home directory.
    • Does not work if you have a cronjob running from root
    • There is a python module called Netrc
  • BASE64
    • Base64 is just a different Character set. It encodes ASCII to BASE64 characters.
    • It will only help to protect against shoulder surfers (people that are looking at you typing your password in or looking at your computer screen)
      • But not for computers that can remember all of those characters
    • This is included in Python standard library
  • Using Python File
    • Storing the passwords as variables in a python file like secrets.py
    • I would not call it secrets.py or password.py as that would just be a target file for a hacker. Maybe it should just be called some off the wall like spinach.py?
    • Once created you can just import the secret variable that you want
    • from secrets import password1
                      print(password1)
                      >'123345'
                      
  • Store all passwords as hashes
    • Hashing passwords is just a one way conversion of data into another form
    • Each different type of hash uses a different algorithm
    • Once this is done, in order to see if a password matches both ends have to hash it the same way
      • with or without salt (salting)
  • Encrypt the file or Passwords in a file
    • Encrypting the passwords in a file at rest and decrypting them when needed via the python script.

      -There a lot of different ways to do this

      • Here are some starter python modules
        • Hashlib – This will get you a key to help encrypt
        • pycrypto – Once you have your key encrypt or decrypt

Solution

As we can see in the above dilemmas, there is no perfect answer, sometimes some obscurity is better than nothing. Once the root or administrator account is comprised, there’s not much you can do if the hacker is motivated enough.

My plan is to use a file with encrypted passwords at rest and then decrypt them as needed. The application that I am using does not give me control on both end to just do hashing, so that’s not an option.

About Daniel Fredrick

Technology enthusiast, Programmer, Network Engineer CCIE# 17094

View all posts by Daniel Fredrick →

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.