2

I'm working with sqlalchemy and oracle, but I don't want to store the database password directly in the connection string, how to store a encrypted password instead?

leon
  • 75
  • 1
  • 8

3 Answers3

2

You could encode the string, but encoding is not encrypting as Gord Thompson mentioned in the comments. Anyone with a bit of knowledge about base64 can reverse it.

import base64
password = "yourpassword".encode("utf-8")
encoded = base64.b64encode(password)
print(encoded)

Decoding it is a matter of

decoded = base64.decodebytes(encoded).decode('utf-8')
print(decoded)

You can use hashed password :

  • You can use the generate_password_hash function from werkzeug.security to generate a secure hash of the password.

code,

from werkzeug.security import generate_password_hash

password = "your_password_here"

hashed_password = generate_password_hash(password, method='sha256')
Naved Shaikh
  • 79
  • 7
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Jan 17 '22 at 13:31
  • 3
    Note that *encoding* something is not the same as *encrypting* it. – Gord Thompson Jan 17 '22 at 14:05
0

I guess you are looking for module PyCrypto

You may use your desired encryption and store encrypted text in database and after fetching data you can decrypt it again.

here is the example for PyCrypto:

>>> from Crypto.Hash import SHA256
>>> hash = SHA256.new()
>>> hash.update('message')
>>> hash.digest()
'\xabS\n\x13\xe4Y\x14\x98+y\xf9\xb7\xe3\xfb\xa9\x94\xcf\xd1\xf3\xfb"\xf7\x1c\xea\x1a\xfb\xf0+F\x0cm\x1d'

for more you may refer to this documentation

Shubham Namdeo
  • 1,845
  • 2
  • 24
  • 40
  • Thanks,but this is not what I want,because the encryption algorithm can be obtained by reading the code.Is there any encryption mechanisms inside sqlalchemy for this? – leon Mar 14 '17 at 03:18
  • you may try this: http://variable-scope.com/posts/storing-and-verifying-passwords-with-sqlalchemy – Shubham Namdeo Mar 14 '17 at 06:13
  • 1
    or you may want to go with this solution from stackoverflow itself: http://stackoverflow.com/a/33717279/6918812 – Shubham Namdeo Mar 14 '17 at 06:14
  • 1
    I think as soon as the hacker is able to read your code he will be always able to decrypt your password. The only way to protect your password is to prompt it from user instead of storing in in the code. – Wernfried Domscheit Mar 14 '17 at 07:51
0

Encrypting the password isn't necessarily very useful, since your code will have to contains the means to decrypt. Usually what you want to do is to store the credentials separately from the codebase, and have the application read them at runtime. For example*:

  • read them from a file
  • read them from command line arguments or environment variables (note there are operating system commands that can retrieve these values from a running process, or they may be logged)
  • use a password-less connection mechanism, for example Unix domain sockets, if available
  • fetch them from a dedicated secrets management system

You may also wish to consider encrypting the connections to the database, so that the password isn't exposed in transit across the network.

* I'm not a security engineer: these examples are not exhaustive and may have other vulnerabilities in addition to those mentioned.

snakecharmerb
  • 47,570
  • 11
  • 100
  • 153