How to obscure a password

[Batista, Facundo]

I'm doing a small program, in which the user will have the option to enter
his/her password everytime, or just save it (to a file).

So, is there a module to obscure the password text in a secure way?

I can't hash it (with md5 or something), because I not need to compare the
password the user enters with a previous one.

I need to restore the password later and use it as if the user just entered
it.

Thank you all!

Facundo Batista
Gestión de Red
(e-mail address removed)
(54 11) 5130-4643
Cel: 15 5132 0132

 

[Rene Pijlman]

Batista, Facundo:

So, is there a module to obscure the password text in a secure way?

You can only obscure a password in an obscure way, not in a secure way.

I can't hash it (with md5 or something), because I not need to compare the
password the user enters with a previous one.

I need to restore the password later and use it as if the user just entered
it.

I use rotor for that.
http://www.python.org/doc/current/lib/module-rotor.html

 

[Peter Hansen]

I'm doing a small program, in which the user will have the option to enter
his/her password everytime, or just save it (to a file).

So, is there a module to obscure the password text in a secure way?

No. Absolutely not.

I can't hash it (with md5 or something), because I not need to compare the
password the user enters with a previous one.

I need to restore the password later and use it as if the user just entered
it.

Your design is probably fundamentally flawed in that case. Are you
certain it is not possible to store the hashed password and always
to compare against it?

The biggest concern I have with systems that allow retrieving the password,
even as an administrator, is that the users are generally not informed
that the administrator has full access to their passwords. Since
many people re-use their favourite passwords all over the place, they
are prone to using the same password that gets them into their online
banking system as they use for the little web-based community site (or
whatever it is) that you're setting up.

No matter how secure you make the front end (https, encrypting passwords
in Javascript, etc) if you store the unencrypted password anywhere, you
are doing your users a gross disservice. Don't do it! IMHO.

-Peter

 

[John Burton]

I'm doing a small program, in which the user will have the option to enter
his/her password everytime, or just save it (to a file).

So, is there a module to obscure the password text in a secure way?

I can't hash it (with md5 or something), because I not need to compare the
password the user enters with a previous one.

I need to restore the password later and use it as if the user just entered
it.

Thank you all!

Probably your best method is to install something like this -
http://www.amk.ca/python/code/crypto.html

and use AES or DES3 or similar to encrypt the passwords.
Of course you then have to keep the encryption keyt secure but that may
or may not be a problem for you.

 

[Rene Pijlman]

John Burton:

Probably your best method is to [...] use AES or DES3 or similar
to encrypt the passwords. Of course you then have to keep the
encryption keyt secure

No problem. Just ask the user to enter it everytime

 

[Lucas Raab]

The only problem with using rotor, is that, given the time, someone could
decrypt the password file by using the encrypted form and guessing the key.

 

[Christopher A. Craig]

The only problem with using rotor, is that, given the time, someone could
decrypt the password file by using the encrypted form and guessing
the key.

Or they could just steal the key. As he said, you can only obscure a
password in an obscure way, not a secure way.