1

I am currently writing a script on a raspberryPi (in python) to automate some tasks in online accounts. While some of these online accounts have nice APIs I can use, others do not and I have to resort to using mechanize to scrape them. This presents the problem of having to store login information. I don't want to store them as plaintext, and storing in RAM would be tedious to type in every password every time I boot the pi.

My question then is, what is the best way to go about this? Searching through previous posts indicates that hashing it would be best. However, there is then no way to actually recover the passwords from the hash to login to each website. The passwords must be submitted to the web form as plaintext (just like a normal login). Any help would be appreciated.

DickJ
  • 113
  • 3
  • The solution to that involved hashing. I can't hash the passwords in this problem because they need to be submitted to the web forms (via mechanize) in plaintext. – DickJ Oct 25 '16 at 15:54
  • No, the solution does not involve hashing. Check out the top answer (you can ignore the orange box, the part relevant to you is the numbered list). – Anders Oct 25 '16 at 15:56
  • hard coded passwords are (still) professionally acceptable if the file/device containing them is protected. A pi project doesn't indicate a need for fancy hardware boxes... – dandavis Oct 25 '16 at 17:09

1 Answers1

1

The idea of password storage is to make it as hard as possible for an attacker to get it because you can't ever stop them from getting it altogether. You are correct that hashing is not what you want because hashing is making sure that 2 inputs are the same (i.e. useful for verifying that a user knows the password), not for storing passwords in the way you are talking about it.

What I would do in your situation is one of two things:

  1. Try to remove the need of the passwords, can you log in manually and then keep the session key alive or have it so the program looks at a password file that you then delete (remember saved files leave ghosts of themselves, so maybe have the file on a usb stick that can be destroyed if you are that security conscious)
  2. Protect the password file, this can be done using the user access stuff on Linux (make it read only for only the user who is running the program and then have good password on that user account) but you should also have some encryption over the file too because user access can be gotten around by manipulating the storage media directly. I can't help you with suggesting encryption methods but it would be something you would enter a password to decrypt so the program can read it and put it into memory. An SQLite database would be one way to get access control and encryption with (relatively) little setup.
Topher Brink
  • 1,629
  • 11
  • 13