3

I have a python script that I'm running locally which has a password for another application embedded in the os.system call. I obfuscated my password by storing it in a DB that only I have access to and then using windows auth to connect to the DB (Because the script needs to be automated I cant have a prompt for the PW).

With the above said, it occurred to me, couldn't someone just modify my script and print the 'pw' var to obtain my password? I'm working in a shared cloud environment where other developers would have access to my script. Is there any way to abstract it further so someone couldnt just modify my script and get the pw?

import os
import sqlalchemy as sa
import urllib
import pandas as pd


#Specify the databases and servers used for reading and writing data.
read_server = '~~SERVER_HERE~~'
read_database = '~~DATABASE_HERE~~'

#Establish DB Connection
read_params = urllib.quote_plus("DRIVER={SQL Server};SERVER="+read_server+";DATABASE="+read_database+";TRUSTED_CONNECTION=Yes")
read_engine = sa.create_engine("mssql+pyodbc:///?odbc_connect=%s" % read_params)

#Read PW from DB and set to variable
pw_query = """ SELECT DISTINCT PW FROM ~~TABLENAME_HERE~~ """
pw = pd.read_sql_query(pw_query,con=read_engine,index_col=None)
pw = pw.values.tolist()
pw = str(pw[0])
pw = pw.lstrip("['").rstrip("]'")

#Establish connection to server
os.chdir(r"C:\tabcmd\Command Line Utility")
os.system(r'tabcmd login -s https://~~myURL~~ -u tabadmin -p {mypw}'.format(mypw = str(pw)))
#Make sure you update the below workbook, site names, and destination directory.
os.system(r'tabcmd get "~~FILE_Location~~" -f "~~Destination_DIR~~"')

I'm using standard python (Cpython) and MS SQL Server.

Improve this question

2 Answers 2

Reset to default
1

There's no real way to protect your password if someone can modify the script.

However, if the shared cloud environment has separate users (i.e logging in via ssh where each person has their own user on the server), then you can change the permissions to restrict access to your code. If not, then I don't think this is possible.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

good call, i think protecting access to the script is key. Is there any way to protect it even from a server admin whose managing our windows server accounts?
@Rick You should be able to because the server admin shouldn't have access to your data – they might be managing the accounts, but not your data. It's worth asking first, though. Unfortunately, I've never worked with Windows server so the specifics are unknown to me.
1

Given you are also hardcoding your database address and access code, nothing prevents others from just connecting to your database for example.

There are ways of obsfuscating your code, but in the end, there is no secure way for storing your password, just ways which require more effort to extract it.

Also see https://crypto.stackexchange.com/questions/19959/is-python-a-secure-programming-language-for-cryptography

TLDR; As long as somebody has access to your program or even source code, the hardcoded password can be extracted - So in your case it would make sense to restrict access to that program.

Improve this answer

1 Comment

hello, tobspr. I'm using windows auth to connect to the DB and I restricted access to the DB to just myself. However, the server admin has access to my DB so they could access the pw. Is there a better way all together?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.