You are not logged in.

#1 2008-04-25 20:53:53

adekoba
Member
Registered: 2007-07-10
Posts: 128
Website

Passwords on the Desktop

I've made a little script that checks to see if I have any emails in my gmail account. The script requires a password (to log on), but I do not want to type in my password every single time. So was thinking, I could get around this by putting my password in a file and then having the script read that file.

This method works, it is just that I am not comfortable with my password lying around in cleartext in a file in my home directory. There may be no other solution, but is there any way to secure my password so that no other user (say root) could read the password, yet still have my script be able to read it.

I know it's a stupid thing to ask, but I am just wondering if anyone has had a similar experience...


abcdefghijklmnopqrstuvwxyz

Offline

#2 2008-04-25 23:29:40

tigrmesh
IRC Op
From: Florida, US
Registered: 2007-12-11
Posts: 794

Re: Passwords on the Desktop

What about obfuscating the password in the file and having the script clean it up?  For example:
mypassword
m1y2p4a8s3s5w0ojrmd1

The script would simply have to remove every second letter.  Or you could have it remove the 1st, 5th and 14th letters.  As long as the script and the file are in sync about what needs to be modified, it doesn't matter.  Just a thought...

Offline

#3 2008-04-25 23:48:27

ralvez
Member
From: Canada
Registered: 2005-12-06
Posts: 1,694
Website

Re: Passwords on the Desktop

I've had the same need as you. To "scratch" my itch I created a python program that uses a gdbm file to store my user id and password. You can use md5 to encrypt the password when you store it and use the same program to de-crypt it when you need to read it and send it out.

In my case I'm pretty comfortable with the security of my system so I did not encrypt the .gdbm file (instead I store it as a hidden file in the system) but if you feel more comfortable by all means encrypting is easy enough to do.

Hope this helps.

R.

Offline

#4 2008-04-26 02:00:53

carlocci
Member
From: Padova - Italy
Registered: 2008-02-12
Posts: 368

Re: Passwords on the Desktop

adekoba wrote:

This method works, it is just that I am not comfortable with my password lying around in cleartext in a file in my home directory. There may be no other solution, but is there any way to secure my password so that no other user (say root) could read the password, yet still have my script be able to read it.

If you want an actual encryption you would have to enter a password to decrypt it at one point (which would spoil the point of your script, I believe)

As it's been suggested to you you could just obfuscate the data with some dumb algorithm, eg rot13 which is as easy as a tr '[a-m][n-z][A-M][N-Z]' '[n-z][a-m][N-Z][A-M]'

Offline

#5 2008-04-26 02:11:17

ralvez
Member
From: Canada
Registered: 2005-12-06
Posts: 1,694
Website

Re: Passwords on the Desktop

carlocci wrote:
adekoba wrote:

This method works, it is just that I am not comfortable with my password lying around in cleartext in a file in my home directory. There may be no other solution, but is there any way to secure my password so that no other user (say root) could read the password, yet still have my script be able to read it.

If you want an actual encryption you would have to enter a password to decrypt it at one point (which would spoil the point of your script, I believe)

As it's been suggested to you you could just obfuscate the data with some dumb algorithm, eg rot13 which is as easy as a tr '[a-m][n-z][A-M][N-Z]' '[n-z][a-m][N-Z][A-M]'

If the file that has the md5 encrypted algorithm has the permissions set to his user he does not need a password, he can read/de-crypt it; that's the point of his script wink

Offline

#6 2008-04-26 04:40:51

iphitus
Forum Fellow
From: Melbourne, Australia
Registered: 2004-10-09
Posts: 4,927

Re: Passwords on the Desktop

ralvez wrote:
carlocci wrote:
adekoba wrote:

This method works, it is just that I am not comfortable with my password lying around in cleartext in a file in my home directory. There may be no other solution, but is there any way to secure my password so that no other user (say root) could read the password, yet still have my script be able to read it.

If you want an actual encryption you would have to enter a password to decrypt it at one point (which would spoil the point of your script, I believe)

As it's been suggested to you you could just obfuscate the data with some dumb algorithm, eg rot13 which is as easy as a tr '[a-m][n-z][A-M][N-Z]' '[n-z][a-m][N-Z][A-M]'

If the file that has the md5 encrypted algorithm has the permissions set to his user he does not need a password, he can read/de-crypt it; that's the point of his script wink

and if he can decrypt it without a password, anyone can.

If you're using "chmod" to hide it from other users, you can just do that on a plain text file too.

Also, md5 isnt encryption, it's a hash.

Offline

#7 2008-04-26 13:08:20

adekoba
Member
Registered: 2007-07-10
Posts: 128
Website

Re: Passwords on the Desktop

So from what I understand, I could encrypt the password-file using an encryption that the script would be able to decrypt. The downside of this being that anyone with access to the script and the file could discover my password.


abcdefghijklmnopqrstuvwxyz

Offline

#8 2008-04-26 14:17:19

ralvez
Member
From: Canada
Registered: 2005-12-06
Posts: 1,694
Website

Re: Passwords on the Desktop

@iphitus,

and if he can decrypt it without a password, anyone can.
Also, md5 isnt encryption, it's a hash.

Your observation is correct about the md5. My point was that he can use the md5 hash to obfuscate ('encrypt') the plain text password and therefore can use it to re-read back when he needs.  As per the fact that if the can read it anyone can that's not so true because if the sets the permissions of the file for his user (chomod 700 myfile) only he can read it. Nevertheless, as I originally posted, I do not see the point of this. If his system is hacked then they will be able to read that file anyways and therefore I think that making it a hidden file is just as good for the level of security that his e-mail password may need. wink

R.

Edit: BTW,  the second point above is the reason I decided to use .gdbm file in my case. If someone finds the hidden .gdbm while casually "picking" into my system (say I left it unattended) they will not openly see the contents (sure there are simple ways around it, but it takes the individual to know what they are doing wink ) and at the same time is very simple to create that type of file.

@adekoba,

You are absolutely correct... nothing is perfectly secure in a computer. "Security" is the word we use to indicate that we intend to delay the intruder log enough that we should be able to discover the illicit actions of the intruder, if possible before damage is done.  cool

Last edited by ralvez (2008-04-26 14:28:33)

Offline

#9 2008-04-26 22:35:37

adekoba
Member
Registered: 2007-07-10
Posts: 128
Website

Re: Passwords on the Desktop

Wait: I understand how the md5 program will obfuscate my password, but how is it going to get it back into cleartext? And wont hashes (like gdbm) just ... you know ... hash my password, not encrypt it (which would allow for subsequent decryption)?


abcdefghijklmnopqrstuvwxyz

Offline

#10 2008-04-26 23:21:57

ralvez
Member
From: Canada
Registered: 2005-12-06
Posts: 1,694
Website

Re: Passwords on the Desktop

As iphitus pointed out in reality you are not really encrypting but rather obfuscating the clear text content.
To encrypt the password you really need an encryption algorithm and that is more complicated to implement; in my opinion at least.
As per gdbm this may be helpful to you: http://www.vivtek.com/gdbm.html

Here is a small program that may help you see the use of gdbm to open a mail program and log in:

#!/usr/bin/python

# ===================================================================================
# Name: UserID (uid.py)
# Description: The logman() function takes as an argument the path to a *.gdbm file
# containing necessary log in parameters (host, user ID, password, service) required   
# to authenticate a user to a secure service. The program returns a dictionary file 
# with the required credentials.
# ===================================================================================

__version__ = "Version: 0.4"
__author__ = "Author: Ricardo Alvez @ I.T.two Inc."
__license__ = "License: GPL"

def logman(credentials_path) :
    
    """ The function reads the log in parameters (host, user ID, and password) from a *.gdbm file and
         returns the values in a list. 
        Retruns: dictionary containing host, User ID and User Password
    """
    
    log_in = {"host":"", "uid":"", "passwd":"",'service':""}
    try:
        import gdbm
    except ImportError:
        print "Gdbm Import Error. Exiting..."
        exit()
    
    try:
        credentials = gdbm.open(credentials_path,'r')
    except gdbm.error,e:
        print "Error Number %d - \"%s\"\nwhile trying to read %s" %(e[0], e[1], credentials_path)
        exit()
    else:
        log_in["host"] = credentials['host']
        log_in["uid"] = credentials['uid']
        log_in["passwd"] = credentials['passwd']
        log_in["service"] = credentials['service']

        credentials.close()
 
    return log_in

if (__name__ == '__main__'):
    
    messg = "This function is used to authenticate a user to a secure service.\nTakes as  an argument the path to a *.gdbm file\nReturns: Host, User ID, Password and Service Name."

    print "\n\n%s\n%s\n%s\n%s" %(__version__,__author__,__license__,messg)
    
    """
    # Used for test purposes only

    r = logman('mail.gdbm')
    print "r: %s" % r
    """

Hope this helps.

R.

Offline

#11 2008-04-26 23:35:48

adekoba
Member
Registered: 2007-07-10
Posts: 128
Website

Re: Passwords on the Desktop

Ah, thanks! It makes sense now. I don't think I'm going to go with gdbm, but I will use the same concept.

Thanks again.


abcdefghijklmnopqrstuvwxyz

Offline

#12 2008-04-27 00:50:31

ekerazha
Member
Registered: 2007-02-27
Posts: 290

Re: Passwords on the Desktop

Store the key on a removable drive (ex. USB stick) and keep it with you.

Last edited by ekerazha (2008-04-27 00:51:02)

Offline

Board footer

Powered by FluxBB