Hiding token information from users

Tobiah tobiah at teranews.com
Tue Aug 23 19:00:33 CEST 2011

On 08/23/2011 09:55 AM, Steven D'Aprano wrote:
> Tobiah wrote:
>> I really need some sort of
>> algorithm that will let me take an unknown string and generate
>> the encrypted bit on the fly.
> Google broken for you? *wink*

I had some requirements in the OP that I could not
find a solution for.

> Seriously, there are about a bazillion algorithms for encrypting and
> obfuscating strings. Depending on your security requirements, that can be
> as simple as rot13 and as complex as blowfish (or even more so).
> If it helps, I have a module that implements a selection of classical (i.e.
> insecure) encryption algorithms:
> http://pypi.python.org/pypi/obfuscate
> Earlier, you said:
>> The secret is not like
>> the key to Fort Knox.  We would rather not have the plain
>> token out there, as it's internal business information,
>> but we don't have to protect the information at all costs.
>> Just making it really inconvenient to extract is fine.
> I don't understand the point of this. What could your users do with the
> plain token that they shouldn't? I don't see why, if it's not worth
> encrypting properly, why it's worth obfuscating it at all.

The token ends up translating into the name of a database on our
server.  With that information alone, it's difficult to imagine
a serious vulnerability, yet we just thought it would be worth
it to disguise the plain text.

More information about the Python-list mailing list