<font size="2"><font face="courier new,monospace">Thanks for the replies I though the answer was no.</font></font><div><font size="2"><font face="courier new,monospace">Vincent<br></font></font><br><div class="gmail_quote">
On Wed, May 5, 2010 at 7:48 PM, Tim Chase <span dir="ltr"><<a href="mailto:python.list@tim.thechases.com">python.list@tim.thechases.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On 05/05/2010 08:12 PM, Vincent Davis wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I can't think of a way to do this, not sure it is possible but I feel as<br>
though I might not know what I don't know.<br>
<br>
I want to share and example of a python script, to run it needs a google<br>
username and password. Is there a way for me to encrypt my username and<br>
password in the source code?<br>
</blockquote>
<br></div>
No-ish. You can encrypt it, but if you encrypt it, you need to include the keys or algorithm for decrypting it, and all it takes is a pdb.set_trace() before the decrypted uname/pwd get sent to Google to get it, and poof all your encryption/decryption has been in vain:<br>
<br>
uname = SUPER_ENCRYPTED_USER<br>
pwd = SUPER_ENCRYPTED_PASSWORD<br>
u = secret_decrypt(uname)<br>
p = secret_decrypt(pwd)<br>
# regardless of how good the stuff above is<br>
# you're vulnerable right here:<br>
# print "%r %r" % (u, p)<br>
do_google_stuff(u, p)<br>
<br>
Unless the Google API you're using allows for chain-of-authority creation of sub-credentials (so your account creates secondary accounts that are then distributed in your code/config files and managed via your dev login), two possibilities that come to mind:<br>
<br>
1) put in a bogus uname/password and make them get their own Google login to put in (which can be done in a config file if they're squeamish about editing source code) This assumes that any arbitrary Google login can grant access to what you want (sometimes this is a developer key, in which case the user would need to get their own dev key).<br>
<br>
2) create a web-service on a server somewhere that has your credentials, but your distributed code merely hits this web service instead of having your actual credentials in the source (plain-text or encrypted). The server would have them (I'd just put them in plain-text -- no need to be fancy. If you can't trust your hosting service, don't use them) but you wouldn't expose the credentials outside the application.<br>
<br>
-tkc<br>
<br>
<br>
<br>
<br>
</blockquote></div><br><div name="mailplane_signature"> <table><tbody><tr><td width="80">
<img src="http://www.gravatar.com/avatar/226e40fdc55d4597a46279296a616384.png">
</td><td width="10"></td><td width="127" align="center">
<div style="padding-right: 5px; padding-left: 5px;
font-size: 11px; padding-bottom: 5px; color: #666666;
padding-top: 5px">
<p><strong>Vincent Davis<br>
720-301-3003
</strong><br>
<a href="mailto:vincent@vincentdavis.net">vincent@vincentdavis.net</a> </p>
<div style="font-size: 10px">
<a href="http://vincentdavis.net">my blog</a> |
<a href="http://www.linkedin.com/in/vincentdavis">LinkedIn</a></div></div></td></tr><tr></tr></tbody></table></div></div>