Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

Best way to store passwords

by Special_K (Monk)
on Nov 06, 2013 at 05:26 UTC ( [id://1061396]=perlquestion: print w/replies, xml ) Need Help??

Special_K has asked for the wisdom of the Perl Monks concerning the following question:

Hello, I am using WWW:Mechanize to automate access to several websites I check regularly. My scripts log in, scrape the necessary data, and then logout.

The only thing that makes me a little nervous is that right now, my passwords are stored in the perl scripts in plaintext because that's what functions such as submit_form() expect.

I'm the only one that uses my computer - I'm not running a webserver or anything. Nevertheless, I'm wondering if I'm leaving myself vulnerable in some way by storing these passwords in plaintext in a text file on my computer. Should I be using a different method to store/access these passwords from perl?

Can the WWW Mechanize functions use some sort of encryption/decryption so I don't have to store plaintext versions of my passwords in my perl scripts? I should add that other than the perl files mentioned above, none of my passwords exist in plaintext format anywhere else on my computer to the best of my knowledge. I store all passwords in an encrypted KeePass database.

Replies are listed 'Best First'.
Re: Best way to store passwords
by atcroft (Abbot) on Nov 06, 2013 at 05:51 UTC

    There appear to be several modules related to KeePass on CPAN (I saw at least App::KeePass2, File::KeePass, and File::KeePass::Agent, when I did a quick search)-could you perhaps interface your script with it? Other than that, there are Crypt:* modules that you could perhaps use to encrypt your password files, and have the program decrypt only what it needs when it needs it (or perhaps on startup). Provide the decryption key at startup, decrypt what you need into memory, and run? Just a thought.

    Hope that helps.

Re: Best way to store passwords
by Michael Roberts (Sexton) on Nov 06, 2013 at 13:01 UTC

    I've done the groundwork for using the KeePassRest extension from Perl (see here - it's a plugin that provides a local REST API listener port), but I haven't had the chance to do a writeup yet or to put the stuff into a module. But if you're already using KeePass, it seems like the best way to manage passwords - the local listener starts up after you've started KeePass by entering your normal password by hand, and can retrieve username/password combinations as needed, which you then pass to WWW::Mechanize. Your scripts don't need to contain any usernames or passwords or even decryption keys.

    I really need to finish that writeup.

Re: Best way to store passwords
by einhverfr (Friar) on Nov 06, 2013 at 13:26 UTC

    There is no one size fits all answer. In general you have the choices of carefully protected plaintext storage in a secure location (ideal for fully automated processes) or encrypted data protected with a passphrase you enter when you login interactively.

    In a fully automated environment, your system needs all info sufficient to access the plain text so if the computer is compromised the system has enough information to access the plain text no matter what you do.

    On the other hand for interactive workloads, you can use AES (see Crypt::OpenSSL::AES) to encrypt the passwords with a passphrase you enter.

    You might also consider measures outside your application and use full disk encryption.

      In this case my scripts are fully automated and need to run without any manual input. The KeePass modules mentioned above seem to still require you to store your master password in plaintext to access the database. To me, that seems less secure than only storing the specific passwords I need in plain text.
        Yeah. For fully automated environments, plain text with appropriate controls there, is the best you are going to be able to do. Your best encryption is going to be something like full disk or partition encryption which requires you to enter a password at boot or mount time.
Re: Best way to store passwords
by pryrt (Abbot) on Nov 17, 2021 at 14:58 UTC
    I know this is an old topic, but I recently tried WWW::KeePassRest as a result of this discussion, and really liked it... until I saw that the KeePassRest plugin currently requires an Ultimate or Enterprise license to another piece of software, despite being a publicly-available download, so I had to delete it once I realized I was violating the license.

    The similar KeePassHttp plugin doesn't have that restrictive license, so I wrote a module WWW::KeePassHttp to interface with it. See my other post Announcing WWW::KeePassHttp v0.01 for more details, in case it's useful to you.

Re: Best way to store passwords
by Michael Roberts (Sexton) on Apr 24, 2014 at 16:59 UTC

    Finally got around to writing WWW::KeePassRest to solve this problem. And also wrote an article about the writing of the module, background stuff, etc.

    To make a long story short, if you set things up in your KeePass database and install the KeePassRest plugin, you can do this:

    use LWP; use WWW::KeePassRest; use strict; my $url = 'http://somesite.com/aa/bb/cc.html'; my $browser = LWP::UserAgent->new('Mozilla'); $browser->credentials("somesite.com:80", "Realm", WWW:::KeePassRest->get_by_title('Some site credentials', 'UserName', 'Password')); my $response=$browser->get($url);
    And voila! You have secure password access. Like magic.
      Is this a Windows only solution?

        From https://www.smartftp.com/keepassrest:

        System Requirements

        • KeePass 2.32 or higher
        • Windows 7 SP1, 2008 R2, 8, 8.1, 10
        • Microsoft .NET Framework version 4.5 or higher

        So that looks very much like a "yes" to me.

Re: Best way to store passwords
by boftx (Deacon) on Nov 06, 2013 at 22:36 UTC

    It would seem that you have correctly identified the various pros and cons associated with password storage anytime you must work with a non-interactive environment. The only thought I can offer would be to possibly mitigate the exposure by having secondary accounts on the relevant websites with the minimum access you need to accomplish your goal.

    At the very least, be sure than none of the passwords you must use for this are used for any thing else (but I suspect you already follow that practice.) On the plus side, It might be that these can have a high degree of randomness if you never (or rarely) enter them by hand.

    The answer to the question "Can we do this?" is always an emphatic "Yes!" Just give me enough time and money.
Re: Best way to store passwords
by sundialsvc4 (Abbot) on Nov 06, 2013 at 19:06 UTC

    Mechanize has no idea where the values it sends come-from.   You’re right that storing passwords in plain-text form represents a potential weakness ... but if you encrypt them, well, you have to store the encryption key somewhere, too.   So, an API to KeePass would probably be the best bet here, and this will have nothing directly to do with Mechanize.

      But then you have to store the KeePass DB password in plain text somewhere, right?

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://1061396]
Approved by Old_Gray_Bear
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others admiring the Monastery: (3)
As of 2024-09-11 19:59 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    The PerlMonks site front end has:





    Results (15 votes). Check out past polls.

    Notices?
    erzuuli‥ 🛈The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.