Hiding token information from users
Tobiah
tobiah at teranews.com
Tue Aug 23 13:00:33 EDT 2011
On 08/23/2011 09:55 AM, Steven D'Aprano wrote:
> Tobiah wrote:
>
>> I really need some sort of
>> algorithm that will let me take an unknown string and generate
>> the encrypted bit on the fly.
>
> Google broken for you? *wink*
I had some requirements in the OP that I could not
find a solution for.
> Seriously, there are about a bazillion algorithms for encrypting and
> obfuscating strings. Depending on your security requirements, that can be
> as simple as rot13 and as complex as blowfish (or even more so).
>
> If it helps, I have a module that implements a selection of classical (i.e.
> insecure) encryption algorithms:
>
> http://pypi.python.org/pypi/obfuscate
>
>
> Earlier, you said:
>
>> The secret is not like
>> the key to Fort Knox. We would rather not have the plain
>> token out there, as it's internal business information,
>> but we don't have to protect the information at all costs.
>> Just making it really inconvenient to extract is fine.
>
> I don't understand the point of this. What could your users do with the
> plain token that they shouldn't? I don't see why, if it's not worth
> encrypting properly, why it's worth obfuscating it at all.
The token ends up translating into the name of a database on our
server. With that information alone, it's difficult to imagine
a serious vulnerability, yet we just thought it would be worth
it to disguise the plain text.
More information about the Python-list
mailing list