Hello, OnlineGDB Q&A section lets you put your programming query to fellow community users. Asking a solution for whole assignment is strictly not allowed. You may ask for help where you are stuck. Try to add as much information as possible so that fellow users can know about your problem statement easily.

Hide Password (Python)

+9 votes
asked Jul 10, 2023 by Eidnoxon (5,270 points)
let's take this line for example:

`if password == "password":`

If I send my code to people who knows programming, they'll easily open the file, search for the password or worse, remove the code where it asks for the password.
How can I encrypt the python file or anything else, to make people I send my code to be not able to edit the python code? ANY HELP IS APPRECIATED!!
I have been searching the net for a long time now, unfortunately, no luck :/

3 Answers

+1 vote
answered Jul 10, 2023 by Peter Minarik (88,520 points)
edited Jul 11, 2023 by Peter Minarik

If you share your source code with anyone, they can do whatever they want with it: read it, change it, delete lines from it (not from your code, but the copy you gave them). So yes, if your program contains some kind of security check, they can easily bypass it.

So, what can you do?

I think do not share your code is obvious, but sometimes not an option (e.g. you're creating a library or framework).

When you share your code, they can always bypass the security check. Unless it's done in a server-client relationship and they do not have access to the server code. More secure, if the server is running online, not even on their machine as I've mentioned before to your question about hacking, you can always get the Assembly code of any program, so if they can read Assembly, then can understand what the server does. That being said, there are programs designed to obfuscate the compiled code (that still can be disassembled) to be very confusing and super hard to read.

If you only want to hide some credentials from them, then you can put that password check in a separately compiled library (DLL in Windows) so they won't be able to simply read the password check logic (again, unless they know how to read Assembly).

Just for hiding the password can use online resources as well: a service, that checks if the password the user entered matches the one stored on the server (which shouldn't be stored by the way, just some kind of has of the password).

The bottom line is, if they know only high-level programming languages, you can hide your "secret" in compiled code. If they are true wizards, they can probably break online services too if they can crack the system somehow.

As one of my teachers said: security is a matter of how important a thing is for you and how much it is worth for others.

You can hide your personal computer behind a 10-character-long password and probably no hacker would be interested in trying to break it just to get your pictures of your cat if it would take a month. But if the said 10-character long password takes one month to break (I'm just making up the character length - time to break relationship, do some research how long should a password be) but grants them access to your company's bank account that has millions of dollar income a month, damn well they will spend that month cracking your password.

I think you get the point. :) If you want to trick your mates, hiding the password in a dynamic library is enough, but it won't protect you from hackers who really want to break into your system.

Also, if it's just for your mates, you can do something tricky / interesting, like not having a password equality check, but rather checking some property of your password. E.g. any password would satisfy the security check that is easy to check, but hard to computer or guess. For instance, a credential could be two numbers (a and b) where a2 + b2 = c2 and both a, b, and c are primes. I do not know if there are any such primes that satisfy the equation, but that's the beauty of it: if you know such a trio of numbers, it's easy to solve (authenticate), but if you do not, it's pretty hard to guess one. (Sure you can write a program that would test a series of numbers, but that takes time...)

I think I gave you more of a theoretic answer than a ready-to-use solution. I still hope this helps, even if it's not 100% what you were looking for.

Good luck!

Update 1

I think my example is wrong, as these are the Pythagorean Triples and I do not believe there's any such triple of primes that would satisfy this equation. Anyway, you can come up with your own rule.

Update 2

I was thinking and you could create a fairly simple code that checks a password without exposing the password in the code.

The below code stores the (MD5) hash of your password, instead of the actual password. From the hash, they cannot guess your password, but the correct password always produces the same hash. The below passwordHexDigest was created to the super secret "My secret password". If you want to replace the hash (passwordHexDigest) with your own, You can just print hashlib.md5(password.encode()).hexdigest() of your own password (same piece of code that is used in the if statement).

import hashlib

passwordHexDigest = "0bf1334ac2aa41ae8de0f705188c1850"
password = input("Enter your password: ")

if passwordHexDigest == hashlib.md5(password.encode()).hexdigest():
    print("CORRECT!")
else:
    print("WRONG!")

Remember, a hash is not guaranteed to be unique. There is a small chance for hash collision, i.e. other inputs could produce the same hash. However, this chance is pretty low so you can take this as an acceptable risk in most applications.

Enjoy!

commented Jul 11, 2023 by Eidnoxon (5,270 points)
"""
import hashlib

passwordHexDigest = "0bf1334ac2aa41ae8de0f705188c1850"
password = input("Enter your password: ")

if passwordHexDigest == hashlib.md5(password.encode()).hexdigest():
    print("CORRECT!")
else:
    print("WRONG!")
"""
It is easy to bypass too if someone would be to open my code. They just delete those line. Can you provide me something simple and really efficient?
Like encrypt the code, and the code still works, or any other stuff.
commented Jul 12, 2023 by Peter Minarik (88,520 points)
Hi Eidnoxon.

I know my reply was lengthy, but please, read it, not just look at the code. I was explaining that the code snippet I shared is only useful for not exposing your password.

To prevent anyone from modifying your code the only option you have is not to share your code.

You can compile your code to an executable and share the .exe with them, so they won't see your code. But again, I explained above that experienced software engineers or hackers can disassemble any binary file (executable, library, etc) and modify the code anyway.

There is no real way to prevent anyone who's running your program from modifying it, if they really want to.

That's why video games have anti-cheat systems that try to monitor the integrity of the game files with more or less success.

So no, unfortunately, there's no easy and simple way to fully protect your program from others modifying it. Even the existing technologies do not work 100% correctly all the time. :(
0 votes
answered Jul 23, 2023 by Asjad Mulani (140 points)
1. Server-Client Relationship: When you have sensitive code or credentials, one way to add a layer of protection is by creating a server-client relationship. In this scenario, the critical code resides on the server, and the client interacts with it through well-defined interfaces. This way, clients don't have direct access to the sensitive parts of the code.

2. Compiled Code Obfuscation: Compiling the code can make it harder for someone to understand its logic compared to reading it in its original high-level language. Additionally, using code obfuscation techniques can further confuse and complicate the code, making it difficult for others to reverse engineer.

3. Separate Compiled Libraries: If there are specific parts of your code that contain sensitive information, consider placing them in separate compiled libraries (DLLs in Windows). This approach can prevent direct access to the sensitive code, requiring potential attackers to work with the compiled version only.

4. Server-side Password Verification: When dealing with passwords or credentials, offloading the verification process to the server can be more secure. Storing hashed passwords on the server and comparing user input with the hashed values can prevent the exposure of the actual passwords.

5. Unique Verification Methods: Instead of a traditional password check, you can devise creative authentication methods that are easy to validate but difficult to guess. These methods should involve complex mathematical or logical operations that can't be easily reversed or brute-forced.

6. Security Relative to Importance: The level of security measures you apply should be commensurate with the importance of the assets being protected. High-value assets warrant stronger security measures than less critical ones.

Remember that no security measure is foolproof, and the goal is to make it challenging and time-consuming for potential attackers to gain unauthorized access. By combining multiple layers of security and using creative authentication methods, you can increase the difficulty level and deter casual attempts at breaching your code or system.

Ultimately, security is a continuous process, and staying vigilant and updated on the latest security practices is crucial. Good luck with your code and keeping it safe!
0 votes
answered Aug 14, 2023 by Subham Kumawat (140 points)
import hashlib

passwordHexDigest = "0bf1334ac2aa41ae8de0f705188c1850"
password = input("Enter your password: ")

if passwordHexDigest == hashlib.md5(password.encode()).hexdigest():
    printf("CORRECT!")
else:
    printf("password!")
Welcome to OnlineGDB Q&A, where you can ask questions related to programming and OnlineGDB IDE and and receive answers from other members of the community.
...