What is the least insecure way to store a password that is used by a script?

security password scripts automation authentication
9,801

Solution 1

What kind of service? Certain services have other methods to authenticate, e.g. SSH keys for SSH in conjunction with SSH agent.

I'd store the password separate from the script, and make sure that all path components have the correct permissions set. E.g., make sure that in the path /path/to/file, /, /path and /path/to are owned by a user you trust (root) and that these are not writable by someone who is not allowed to see your files. Finally, the recommended permissions for file is 600 or 400.

That file could look like this:

PASSWORD='something that you cannot remember'

In your script, use the below code to import the variable:

. /path/to/file

As for your script, make sure that it does not contain holes which may allow attackers to execute code in the script context (e.g. uncontrolled environment which may have an arbitrary $PATH variable set or invalid use of other files (e.g. sourcing a world-writable file).

As for the actual protection of your password, you can't. It must be available somehow to the other service. As an alternative, you can encrypt the file/ script containing the password using openssl or gpg so you need to enter a password before the credentials are unlocked. This is especially useful if your service's password is hard to remember.

Solution 2

Instead of hardcoding the password in the file, store the password in a separate file and protect the file (chmod 700 or chmod 500) so that only the authorised users can access it.

Retrieve the password with cat /dir/to/file/with/.password instead of reading the file and storing the content of it into a variable.

Solution 3

I know this is an old question but i faced this similar issue and i used Ubuntu's key ring to solve it. Here is a solution on ubuntu 18.04LTS Open the terminal Write down keyring set {{service}} {{username}} for example if you are using this for school password logging:

keyring set school mohamed

It will log you for a password enter the password. Now the password you entered is stored in Ubuntu keyring.

To get this password write in the terminal:

keyring get school mohamed

to use this in the context of an script:

password=$(keyring get school mohamed)

Now the password contatins the password you previously entered.

Share:
9,801

Related videos on Youtube

RusGraf
Author by

RusGraf

My goal here is usually to document.

Updated on September 18, 2022

Comments

  • RusGraf
    RusGraf over 1 year

    I have a Bash script that automatically authenticates with a service using my username and password. The credentials are currently stored as plain text within the script.

    What precautions should I take to most securely store these credentials while still allowing the script access?

    Points of clarification:

    • I understand that, if available, other methods of authentication should be used instead. I still want to know what to do in the case that password authentication is the only option.
    • Not storing the password at all is not an acceptable answer here. I am asking about the case in which the script must have unattended access to the password.
    • Thomas Ward
      Thomas Ward almost 13 years
      not store the passcode part of the credentials, perhaps?
    • Benji
      Benji almost 13 years
      Wouldn't it work to access GNOME Keyring or something similar?
    • Anonymous
      Anonymous over 12 years
      Perhaps if you could store it as a cryptographic hash (such as SHA-1), that would be nice.
    • Anonymous
      Anonymous over 12 years
      ROT13 would obscure it, but would NOT secure it in any way.
    • RusGraf
      RusGraf over 12 years
      @Anonymous If the password is stored as a cryptographic hash, how do you recommend retrieving it?
  • Admin
    Admin almost 13 years
    Some tools even have an option to read the password from a file directly for precisely this reason, such as gpg's --passphrase-file option.
  • knb
    knb over 12 years
    ...and make it a .dotfile (/dir/to/file/with/.password)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Is there a way to lock my browser with a password?
SSH authentication: either SSH keys or one time password
How do I create one user without key authentication?
How can I allow SSH password authentication from only certain IP addresses?
Why is there a big delay after entering a wrong password?
php not redirecting and logging in
ASP.NET Core using custom authenticationhandler with cookieauthentication
ASP.Net Authentication using <credentials> in web.config
How can I calculate the Failed Acceptance Rate and False Recognition Rate?
WCF transport security with no authentication