I am working on making a log file for a small application. If an error occurs in the application then I have to send a mail to a person. I've figured out the code to send a mail to a person, but I don't want to hard code the password as a string. Instead I want to encrypt it and then de-crypt it in my python code. alternatively is it okay to store the email and password in a csv file and read it from the file. How safe is this? Can someone guide me how this can be done. Any example or documentation is welcome.
-
Are you going to be distributing this application, or is it going to be run from the web? – David Jun 26 '14 at 15:51
-
What value is there having the password unencrypted once you've done so in the python piece of the workflow? Is it truly necessary to unencrypt it? – Andrew Hoffman Jun 26 '14 at 18:05
-
This application will be distributed to certain people. – Raki Jun 27 '14 at 12:16
-
It is not necessary to unencrypt it. – Raki Jun 27 '14 at 12:16
2 Answers
You have a bit of a chicken and the egg problem. On one hand you need to store the password on the other hand you don't want it to be readable by just anyone. The problem is that you will either rely on an algorithm or another secret key stored somewhere on your system to obfuscate and de-obfuscate your password. This is security through obscurity and will only make it a little bit harder for an attacker to guess the used password.
If you plan on distributing your application, this is not the way to go and you should re-think your strategy (for instance displaying the error to the user and requesting him to email it for you instead).
If you are running the application as a single instance my advice is to just leave the password as is and ensure that the file permissions are set so that only the user as which the script is run can read the file containing the password.
- 54,169
- 17
- 112
- 196
In addition to what Lucas said, you could ensure that the application sending this log over email has its own email account with its own unique password. Indeed, if your app were to be compromised or downloaded by someone it shouldn't leak a password that you actually care about.
- 6,798
- 29
- 45