Hiding a password in code

Hello!

The other day I wrote a small Ruby app to check my finances on Mint.com.
My
intentions were to have this script run every once and a while and
display the
information on my desktop (via a tool like Conky or GeekTool).

My problem is, how do I handle my password? Here are the two situations
I’ve
considered:

  1. Use the command line to enter the password.
  2. Have the password stored in the script via some sort of encryption.

Neither of these seem very secure. In the first option, someone can
sniff my
password via the “ps” utility, and in the second, someone could view the
source
code and figure it out.

Security isn’t a HUGE priority, as this account doesn’t really have
access to
anything serious. Right now, I have the password in the file, encrypted
with
ROT13 (hah!), just to make it a little harder for someone skimming the
source to
figure it out.

Any ideas on how to handle this situation?

-Dana

Dana M. wrote:

  1. Have the password stored in the script via some sort of encryption.
    Any ideas on how to handle this situation?

-Dana

Store your password in an encrypted file. When you start the script up,
enter the encryption password to decrypt the file so your Ruby script
can grab it and keep it in memory. It won’t be stored in plaintext in
the file (but will probably end up in swap if you’re really paranoid).

This is about as effective as entering the password as the script starts
come to think of it. This has always been a problem. You can’t store
the password to be retrieved automatically, the best you can do it
obfuscate it. And you’re right, never give passwords on the
command-line. Scripts that need passwords should read them from
keyboard or STDIN. Especially if you’re on a shared machine.

Michael M. wrote:

keyboard or STDIN. Especially if you’re on a shared machine.
These are excellent points. The reason I haven’t done this is that I’d
like to
have my script be able to run without action from me, in the background.

I suppose I just need to accept the fact that I’m asking to do something
inherently insecure in an interpreted language. I’m pleased enough with
this
solution:

form[‘password’] = @options[:pass] ||
“AvprGel”.tr(“A-Za-z”,“N-ZA-Mn-za-m”)

-Dana

On 6/30/08, Dana M. [email protected] wrote:

And you’re right, never give passwords on the command-line. Scripts that

form[‘password’] = @options[:pass] ||
“AvprGel”.tr(“A-Za-z”,“N-ZA-Mn-za-m”)

“Interpreted language” is pretty much irrelevant though. The hackers
that be can pull hardcoded passwords out of compiled code very quickly
and easily.

Gnome solves this situation by using the Gnome login to open an
encrypted keyring which stores passwords to things like Wireless
networks. There should be a way for a Ruby program to leverage this
functionality.

Les

Leslie V. wrote:

“Interpreted language” is pretty much irrelevant though. The hackers
that be can pull hardcoded passwords out of compiled code very quickly
and easily.

That’s sort of true. If I didn’t employ any string obfuscation, it would
be easy
for them to get the sensitive data. It would be much easier, however, to
obfuscate the password in compiled code so that it would be unreadable
(without
significant means), than it would in a language where the source is
readily
available.

In any case, I’m not particularly worried about hackers anyway. As I
said, this
isn’t really dangerous information, I’d just rather it not be in
plaintext. :-D.

Gnome solves this situation by using the Gnome login to open an
encrypted keyring which stores passwords to things like Wireless
networks. There should be a way for a Ruby program to leverage this
functionality.

While this would be cool, I don’t use Gnome so unfortunately it would be
useless
to me. I could, however, look into a Ruby API that works with OS X’s
Keychain.
That’s a good idea and I’ll look into it.

-Dana

On 6/30/08, Leslie V. [email protected] wrote:

come to think of it. This has always been a problem. You can’t store the
inherently insecure in an interpreted language. I’m pleased enough with this
Gnome solves this situation by using the Gnome login to open an
encrypted keyring which stores passwords to things like Wireless
networks. There should be a way for a Ruby program to leverage this
functionality.

Have a look at:
http://library.gnome.org/devel/gnome-keyring/stable/ch01.html
http://www.rittau.org/blog/20070726-01

It seems Gnome-keyring can be accessed from Python, so this may help
you get a Ruby solution going. Assuming you use Gnome of course!

Les

Leslie V. wrote:

And you’re right, never give passwords on the command-line. Scripts that
“AvprGel”.tr(“A-Za-z”,“N-ZA-Mn-za-m”)
Les

Come to think of it, I used to use KDE’s KWallet via dcop to store
passwords. It of course has all the same weaknesses, but you only need
to decrypt your passwords once when you boot up. Be aware that any
program can now read your passwords. Specifically with KWallet, it had
no way of authenticating which program was requesting the passwords.
You could easily write a Ruby script that pretends to be Kopete or
Konqueror and read any password.

Using something to display a dialog box to enter your password when the
script starts would be the best solution. It’s not very inconvenient to
enter your password once when it starts up, and the password doesn’t
have to be stored anywhere.

On Tue, Jul 01, 2008 at 05:04:12AM +0900, Dana M. wrote:

Leslie V. wrote:

Gnome solves this situation by using the Gnome login to open an
encrypted keyring which stores passwords to things like Wireless
networks. There should be a way for a Ruby program to leverage this
functionality.

While this would be cool, I don’t use Gnome so unfortunately it would be
useless to me. I could, however, look into a Ruby API that works with OS
X’s Keychain. That’s a good idea and I’ll look into it.

I wrote keybox which is only requires ruby and ruby’s openssl extension.
It was initially for just storing my own passwords and making them
avaialble
from a console, but the Keybox::Storage::Container has a pretty simple
API
that could be utilized for this type of usage.

You could use the command line to build the encrypted file and then
in your code to something like:

app start

prompt for keybox password

container = Keybox::Storage::Container.new( passphrase,
“/path/to/keybox/file”)

do long running stuff

When the application needs the password it can do:

record = container.find(“record-key”).first

do somethig with record.username and record.password

Feel free to check it out and see if it would work for your situation.

http://keybox.rubyforge.org/
http://keybox.rubyforge.org/rdoc/index.html

enjoy,

-jeremy

2008/6/30 Michael M. [email protected]:

Store your password in an encrypted file. When you start the script up,
enter the encryption password to decrypt the file so your Ruby script can
grab it and keep it in memory. It won’t be stored in plaintext in the file
(but will probably end up in swap if you’re really paranoid).

Frankly, I’d rather let the user enter the password. The security is
the same, usage convenience is as bad as in your suggestion but
implementation becomes much easier.

This is about as effective as entering the password as the script starts
come to think of it. This has always been a problem. You can’t store the
password to be retrieved automatically, the best you can do it obfuscate it.
And you’re right, never give passwords on the command-line. Scripts that
need passwords should read them from keyboard or STDIN. Especially if
you’re on a shared machine.

Alternatively, if you trust file system permissions or have
automatic file system level encryption you can store it in plaintext.
:slight_smile:

Kind regards

robert

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs