0

I am working on a small project of my own and am using Selenium to log into a website and currently I have my username and password hardcoded in the .py file. What kind of risks do I face? I am the only one who has access to this file and it will only be stored on this computer.

I can only think of my password being at risk if I get a virus/have my computer hacked.

jlcv
  • 1,688
  • 5
  • 21
  • 50

2 Answers2

3

Number one rule EVERY I.T. knows. "Security" is a state of mind. There is no absolute security. So it depends. Do you have an anti virus updated and running? Easy question right?

Is your anti virus capable to detect threats and protect you? Tricky question? Let's say yes...

Are there any zero day exploits out there for your operating system? Well here is a question you can not answer...

So hardcoding a password is never a good practice. But what matters most is changing it (removing harcoded version) after you finish with the project.

Your question is a huge topic.

To keep it simple, you are never 100% safe. All right? So being hacked or getting a virus is really enough.

The real question is, is this a security issue you have to be a maniac? Do you have to keep this password ultra secure for some reason? If yes... well... don't hardcode it.

If you are not paranoid about the security of this project, well just don't forget to remove such a password, remove the hardcoded one too and make a new password access.

I hope this helped you.

George Eco
  • 466
  • 3
  • 16
1

There is an easy way to make a hardcoded password more secure. Instead of storing it directly in your source code, first calculate a hash and store only this hash in the source code.

This is standard practise for storing passwords, and even if somebody can read the source code, he cannot see the plaintext password, he would have to crack it first. To calculate the hash you should follow the same rules as for storing them in a database, prefer a slow hash algorithm with a cost factor like BCrypt or PBKDF2.

martinstoeckli
  • 23,430
  • 6
  • 56
  • 87
  • When you say "database" what do you mean? Does that mean store the real password in another file on my computer and then compare the hash with it? I tried looking for a tutorial/guide on how to use the hashed password to log in but with no success. If the password is not hardcoded in the script, how can I send the password to the website to log in? Wouldn't I have to "unhash" the hashed password which would defeat the purpose of hashing in the first place. – jlcv Aug 29 '14 at 23:34
  • The thing is, I need to send this hardcoded password to websites such as gmail to log in and access e-mails. Thus, I cannot send the hashed value over. – jlcv Aug 30 '14 at 00:44
  • I came up with a new solution, I decided to just input it each time I ran the script, see my post http://stackoverflow.com/questions/25579317/tkinter-binding-and-get-issues/25580656#25580656. Although I am still curious about how to do it with your method using hashes. – jlcv Aug 30 '14 at 08:57
  • 1
    @JustinLiang - Seems i misunderstood your question, i thought that other people should be able to login to your own website/application. In your case, when you need the password plaintext to login to external sites, there is no safe way to store the password. The only possibility is the one you wrote about in the comment, to pass the password for each session. With such an entered password you could also encrypt several other passwords, and store them safely on the server/application if necessary. – martinstoeckli Aug 31 '14 at 09:40