Python password managerPackage Manager in PythonLicense ManagerPassword generator in Python 3Python 3.4 password generatorSelective password generator in C++ and PythonPython username and password programMultithreaded password crackerFile encryption/decryption in PythonPassword cracking commenting in PythonSecure Password and Passphrase Generator in Python 3

What precisely is a link?

How to scale a verbatim environment on a minipage?

Why do freehub and cassette have only one position that matches?

Proof that when f'(x) < f(x), f(x) =0

Was Unix ever a single-user OS?

Is Jon Snow immune to dragonfire?

Why are there synthetic chemicals in our bodies? Where do they come from?

Is lying to get "gardening leave" fraud?

How do i show this equivalence without using integration?

How can I fairly adjudicate the effects of height differences on ranged attacks?

You look catfish vs You look like a catfish?

Field Length Validation for Desktop Application which has maximum 1000 characters

A non-technological, repeating, phenomenon in the sky, holding its position in the sky for hours

Unidentified items in bicycle tube repair kit

Any examples of headwear for races with animal ears?

Has any spacecraft ever had the ability to directly communicate with civilian air traffic control?

How does NAND gate work? (Very basic question)

How did Arya get back her dagger from Sansa?

If 1. e4 c6 is considered as a sound defense for black, why is 1. c3 so rare?

My ID is expired, can I fly to the Bahamas with my passport?

What word means "to make something obsolete"?

How could a planet have most of its water in the atmosphere?

Catholic vs Protestant Support for Nazism in Germany

Accidentally deleted the "/usr/share" folder



Python password manager


Package Manager in PythonLicense ManagerPassword generator in Python 3Python 3.4 password generatorSelective password generator in C++ and PythonPython username and password programMultithreaded password crackerFile encryption/decryption in PythonPassword cracking commenting in PythonSecure Password and Passphrase Generator in Python 3






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








5












$begingroup$


I am writing a python password manager, and I know there's a lot of scrutiny that goes into storing passwords (don't worry, mine aren't plaintext). I was hoping that this community could help me improve style, use of libraries, or anything else. Any and all pointers are gladly accepted.



There were a few ideas that I implemented here:



  • encrypting each password with a unique salt, even in memory

  • encrypting each database with a unique salt when they are stored long-term

  • be able to save to a database file (custom format)

  • be able to read from a database file (custom format)

I know that there are a lot of services that do this kind of thing already, but I thought I'd give it a spin, to learn and have fun. Some samples of how to use the library are provided by the runner file.



runner:



import sys, os
from .passdb import PassDB

if __name__ == "__main__":
a = PassDB()
# print(a)
a.password = "password"
a.set_entry("user", "localhost", "sample_password")
# print(a.enc_str())
a_copy = PassDB.open_db(a.enc_str(), "password")
# print(a_copy.password)
if a_copy is not None:
print(a_copy.get_entry("user@localhost"))
print(a_copy.get_password("user@localhost"))
a_copy.save_as("tmp.passdb", "sample Password")



passdb.py:



import base64
import hashlib
import pandas
from Crypto import Random
from Crypto.Cipher import AES
import json
import re
from io import StringIO
import datetime


class PassDB(object):

_valid_init_fields = ["data", "path", "password", "settings"]
version = "Version 0.0.1"
settings: dict
data: pandas.DataFrame
_defaults =
"salt_size": 64,
"block_size": 32, # Using AES256
"enc_sample_content": "The provided password is correct",
"salt": None,
"path": None,
"hash_depth": 9


_format = """### PYPASSMAN version ###
settings
### SAMPLE ###
enc_sample
### DATA ###
data
"""

def __init__(self, *args, **kwargs):
if len(args) > 3:
raise TypeError("Too Many Arguments")
if len(args) > 2:
self.data = args[2]
else:
self.data = None
if len(args) > 1:
self.password = args[1]
else:
self.password = None
if len(args) > 0:
self.path = args[0]
else:
self.path = None

for key, arg in kwargs.items():
if key in self._valid_init_fields:
setattr(self, key, arg)

if self.data is None:
self.data = pandas.DataFrame(
columns=[
"account",
"hostname",
"salt",
"password",
"hash_depth",
"dateModified",
"dateCreated"
]
)

if getattr(self, "settings", None) is None:
self.settings = self._defaults.copy()
if self.settings.get("salt", None) is None:
self.settings["salt"] = base64.b64encode(Random.new().read(
self.settings["salt_size"]
)).decode("utf-8")

for key in self._defaults.keys():
if key not in self.settings:
self.settings[key] = self._defaults[key]

@classmethod
def open_db(cls, raw, password):
settings, sample, data = (*map(
lambda string: string.strip(),
re.split(r"###.*###n", raw)[1:]
),)
settings = json.loads(settings)
sample = cls._decrypt(sample, password, settings["salt"], settings["hash_depth"])
if not sample == settings["enc_sample_content"]:
raise ValueError(
"Cannot open PassDB: incorrect password provided")
data = cls._decrypt(data, password, settings["salt"], settings["hash_depth"])
data = pandas.read_csv(StringIO(data))
output = cls(
settings=settings,
data=data,
password=password
)
return output

def save_as(self, path, password):
settings_cp = self.settings.copy()
settings_cp["path"] = path
new_dict = self.__class__(
data = self.data,
path = path,
password = password,
settings = settings_cp
)
new_dict.save()
return True

def save(self):
with open(self.path, "w+") as dest:
enc_data = self._encrypt(
self.data.to_csv(index_label="index"),
self.password, self.settings["salt"],
self.settings["hash_depth"]
)
enc_sample = self._encrypt(
self.settings["enc_sample_content"],
self.password, self.settings["salt"],
self.settings["hash_depth"])
dest.write(self._format.format(
version=str(self.version),
settings=json.dumps(self.settings),
data=enc_data,
enc_sample=enc_sample
))

@classmethod
def _encrypt(cls, raw, password, salt, hash_depth):
raw = cls._pad(raw)
iv = Random.new().read(AES.block_size)
salt = base64.b64decode(salt)
key = hashlib.sha256(
str(password).encode() + salt
).digest()
for i in range(hash_depth):
key = hashlib.sha256(key + salt).digest()
cipher = AES.new(key, AES.MODE_CBC, iv)
return base64.b64encode(iv + cipher.encrypt(raw)).decode("utf-8")

@classmethod
def _decrypt(cls, enc, password, salt, hash_depth):
enc = base64.b64decode(enc)
iv = enc[:AES.block_size]
salt = base64.b64decode(salt)
key = hashlib.sha256(
password.encode() + salt
).digest()
for i in range(hash_depth):
key = hashlib.sha256(key + salt).digest()

cipher = AES.new(key, AES.MODE_CBC, iv)
try:
return cls._unpad(
cipher.decrypt(
enc[AES.block_size:]
)
).decode('utf-8')
except UnicodeDecodeError:
raise ValueError("Incorrect Password")

@classmethod
def _pad(cls, s):
bs = cls._defaults["block_size"]
return (
s + (bs - len(s) % bs) *
chr(bs - len(s) % bs)
)

@staticmethod
def _unpad(s):
return s[:-ord(s[len(s)-1:])]

def enc_str(self):
enc_data = self._encrypt(
self.data.to_csv(index_label="index"),
self.password, self.settings["salt"],
self.settings["hash_depth"]
)
enc_sample = self._encrypt(
self.settings["enc_sample_content"],
self.password, self.settings["salt"],
self.settings["hash_depth"]
)
return (self._format.format(
version=str(self.version),
enc_sample=enc_sample,
settings=json.dumps(self.settings),
data=enc_data
))

def __str__(self):
path = self.settings["path"]
return "PassDB < entries>".format(
len(self.data),
" at ''".format(path) if path is not None else ""
)

def set_entry(self, *args):
account, hostname, password = None, None, None
if len(args) == 1:
account, hostname_password = args[0].split("@")
hostname, password, other = hostname_password.split(":")
elif len(args) == 2:
account_hostname, password = args
account, hostname = account_hostname.split("@")
elif len(args) == 3:
account, hostname, password = args
else:
raise ValueError("""
PassDB.set_entry :: Too many arguments
usage(1): get_password(account, hostname, password)
usage(2): get_password("account@hostname", password)
usage(3): get_password("account@hostname:password") """
)

for char in (":", "@"):
for item in account, hostname, password:
if char in item:
raise ValueError("""
account, hostname, and password cannot contain colon (:) or at symbol (@)""")

if len(self.data) > 0:
for index, entry in self.data.iterrows():
if entry["account"] == account and entry["hostname"] == hostname:
salt = base64.b64encode(Random.new().read(
self.settings["salt_size"]
)).decode("utf-8")
password = self._encrypt(
password,
self.settings["salt"],
salt,
self.settings["hash_depth"]
)
self.data.loc[index] = (
account, hostname,
salt, password,
self.settings["hash_depth"],
str(datetime.datetime.utcnow().isoformat()),
str(datetime.datetime.utcnow().isoformat())
)
else:
salt = base64.b64encode(Random.new().read(
self.settings["salt_size"]
)).decode("utf-8")
password = self._encrypt(
password,
self.settings["salt"],
salt,
self.settings["hash_depth"]
)
self.data.loc[0] = (
account,
hostname,
salt,
password,
self.settings["hash_depth"],
str(datetime.datetime.utcnow().isoformat()),
str(datetime.datetime.utcnow().isoformat())
)

def get_entry(self, *args):
if len(args) == 1:
account, hostname = args[0].split("@")
elif len(args) == 2:
account, hostname = args
else:
raise ValueError("""
PassDB.get_entry :: Too many arguments
usage(1): get_entry(account, hostname)
usage(2): get_entry("account@hostname")""")
if(getattr(self, "password") is None):
raise ValueError("Cannot get entry when PassDB instance password is None")
if(len(self.data)) == 0:
return None
for index, entry in self.data.iterrows():
if entry["account"] == account and entry["hostname"] == hostname:
return entry
return None

def get_password(self, *args):
if len(args) == 1:
account, hostname = args[0].split("@")
elif len(args) == 2:
account, hostname = args
else:
raise ValueError("""
PassDB.get_password :: Too many arguments
usage(1): get_password(account, hostname)
usage(2): get_password("account@hostname")""")

entry = self.get_entry(account, hostname)
if isinstance(entry["password"], str):
return self._decrypt(entry["password"], self.settings["salt"], entry["salt"], entry["hash_depth"])
raise ValueError("Password for account@hostname in unexpected format".format(**entry))
```









share|improve this question









$endgroup$


















    5












    $begingroup$


    I am writing a python password manager, and I know there's a lot of scrutiny that goes into storing passwords (don't worry, mine aren't plaintext). I was hoping that this community could help me improve style, use of libraries, or anything else. Any and all pointers are gladly accepted.



    There were a few ideas that I implemented here:



    • encrypting each password with a unique salt, even in memory

    • encrypting each database with a unique salt when they are stored long-term

    • be able to save to a database file (custom format)

    • be able to read from a database file (custom format)

    I know that there are a lot of services that do this kind of thing already, but I thought I'd give it a spin, to learn and have fun. Some samples of how to use the library are provided by the runner file.



    runner:



    import sys, os
    from .passdb import PassDB

    if __name__ == "__main__":
    a = PassDB()
    # print(a)
    a.password = "password"
    a.set_entry("user", "localhost", "sample_password")
    # print(a.enc_str())
    a_copy = PassDB.open_db(a.enc_str(), "password")
    # print(a_copy.password)
    if a_copy is not None:
    print(a_copy.get_entry("user@localhost"))
    print(a_copy.get_password("user@localhost"))
    a_copy.save_as("tmp.passdb", "sample Password")



    passdb.py:



    import base64
    import hashlib
    import pandas
    from Crypto import Random
    from Crypto.Cipher import AES
    import json
    import re
    from io import StringIO
    import datetime


    class PassDB(object):

    _valid_init_fields = ["data", "path", "password", "settings"]
    version = "Version 0.0.1"
    settings: dict
    data: pandas.DataFrame
    _defaults =
    "salt_size": 64,
    "block_size": 32, # Using AES256
    "enc_sample_content": "The provided password is correct",
    "salt": None,
    "path": None,
    "hash_depth": 9


    _format = """### PYPASSMAN version ###
    settings
    ### SAMPLE ###
    enc_sample
    ### DATA ###
    data
    """

    def __init__(self, *args, **kwargs):
    if len(args) > 3:
    raise TypeError("Too Many Arguments")
    if len(args) > 2:
    self.data = args[2]
    else:
    self.data = None
    if len(args) > 1:
    self.password = args[1]
    else:
    self.password = None
    if len(args) > 0:
    self.path = args[0]
    else:
    self.path = None

    for key, arg in kwargs.items():
    if key in self._valid_init_fields:
    setattr(self, key, arg)

    if self.data is None:
    self.data = pandas.DataFrame(
    columns=[
    "account",
    "hostname",
    "salt",
    "password",
    "hash_depth",
    "dateModified",
    "dateCreated"
    ]
    )

    if getattr(self, "settings", None) is None:
    self.settings = self._defaults.copy()
    if self.settings.get("salt", None) is None:
    self.settings["salt"] = base64.b64encode(Random.new().read(
    self.settings["salt_size"]
    )).decode("utf-8")

    for key in self._defaults.keys():
    if key not in self.settings:
    self.settings[key] = self._defaults[key]

    @classmethod
    def open_db(cls, raw, password):
    settings, sample, data = (*map(
    lambda string: string.strip(),
    re.split(r"###.*###n", raw)[1:]
    ),)
    settings = json.loads(settings)
    sample = cls._decrypt(sample, password, settings["salt"], settings["hash_depth"])
    if not sample == settings["enc_sample_content"]:
    raise ValueError(
    "Cannot open PassDB: incorrect password provided")
    data = cls._decrypt(data, password, settings["salt"], settings["hash_depth"])
    data = pandas.read_csv(StringIO(data))
    output = cls(
    settings=settings,
    data=data,
    password=password
    )
    return output

    def save_as(self, path, password):
    settings_cp = self.settings.copy()
    settings_cp["path"] = path
    new_dict = self.__class__(
    data = self.data,
    path = path,
    password = password,
    settings = settings_cp
    )
    new_dict.save()
    return True

    def save(self):
    with open(self.path, "w+") as dest:
    enc_data = self._encrypt(
    self.data.to_csv(index_label="index"),
    self.password, self.settings["salt"],
    self.settings["hash_depth"]
    )
    enc_sample = self._encrypt(
    self.settings["enc_sample_content"],
    self.password, self.settings["salt"],
    self.settings["hash_depth"])
    dest.write(self._format.format(
    version=str(self.version),
    settings=json.dumps(self.settings),
    data=enc_data,
    enc_sample=enc_sample
    ))

    @classmethod
    def _encrypt(cls, raw, password, salt, hash_depth):
    raw = cls._pad(raw)
    iv = Random.new().read(AES.block_size)
    salt = base64.b64decode(salt)
    key = hashlib.sha256(
    str(password).encode() + salt
    ).digest()
    for i in range(hash_depth):
    key = hashlib.sha256(key + salt).digest()
    cipher = AES.new(key, AES.MODE_CBC, iv)
    return base64.b64encode(iv + cipher.encrypt(raw)).decode("utf-8")

    @classmethod
    def _decrypt(cls, enc, password, salt, hash_depth):
    enc = base64.b64decode(enc)
    iv = enc[:AES.block_size]
    salt = base64.b64decode(salt)
    key = hashlib.sha256(
    password.encode() + salt
    ).digest()
    for i in range(hash_depth):
    key = hashlib.sha256(key + salt).digest()

    cipher = AES.new(key, AES.MODE_CBC, iv)
    try:
    return cls._unpad(
    cipher.decrypt(
    enc[AES.block_size:]
    )
    ).decode('utf-8')
    except UnicodeDecodeError:
    raise ValueError("Incorrect Password")

    @classmethod
    def _pad(cls, s):
    bs = cls._defaults["block_size"]
    return (
    s + (bs - len(s) % bs) *
    chr(bs - len(s) % bs)
    )

    @staticmethod
    def _unpad(s):
    return s[:-ord(s[len(s)-1:])]

    def enc_str(self):
    enc_data = self._encrypt(
    self.data.to_csv(index_label="index"),
    self.password, self.settings["salt"],
    self.settings["hash_depth"]
    )
    enc_sample = self._encrypt(
    self.settings["enc_sample_content"],
    self.password, self.settings["salt"],
    self.settings["hash_depth"]
    )
    return (self._format.format(
    version=str(self.version),
    enc_sample=enc_sample,
    settings=json.dumps(self.settings),
    data=enc_data
    ))

    def __str__(self):
    path = self.settings["path"]
    return "PassDB < entries>".format(
    len(self.data),
    " at ''".format(path) if path is not None else ""
    )

    def set_entry(self, *args):
    account, hostname, password = None, None, None
    if len(args) == 1:
    account, hostname_password = args[0].split("@")
    hostname, password, other = hostname_password.split(":")
    elif len(args) == 2:
    account_hostname, password = args
    account, hostname = account_hostname.split("@")
    elif len(args) == 3:
    account, hostname, password = args
    else:
    raise ValueError("""
    PassDB.set_entry :: Too many arguments
    usage(1): get_password(account, hostname, password)
    usage(2): get_password("account@hostname", password)
    usage(3): get_password("account@hostname:password") """
    )

    for char in (":", "@"):
    for item in account, hostname, password:
    if char in item:
    raise ValueError("""
    account, hostname, and password cannot contain colon (:) or at symbol (@)""")

    if len(self.data) > 0:
    for index, entry in self.data.iterrows():
    if entry["account"] == account and entry["hostname"] == hostname:
    salt = base64.b64encode(Random.new().read(
    self.settings["salt_size"]
    )).decode("utf-8")
    password = self._encrypt(
    password,
    self.settings["salt"],
    salt,
    self.settings["hash_depth"]
    )
    self.data.loc[index] = (
    account, hostname,
    salt, password,
    self.settings["hash_depth"],
    str(datetime.datetime.utcnow().isoformat()),
    str(datetime.datetime.utcnow().isoformat())
    )
    else:
    salt = base64.b64encode(Random.new().read(
    self.settings["salt_size"]
    )).decode("utf-8")
    password = self._encrypt(
    password,
    self.settings["salt"],
    salt,
    self.settings["hash_depth"]
    )
    self.data.loc[0] = (
    account,
    hostname,
    salt,
    password,
    self.settings["hash_depth"],
    str(datetime.datetime.utcnow().isoformat()),
    str(datetime.datetime.utcnow().isoformat())
    )

    def get_entry(self, *args):
    if len(args) == 1:
    account, hostname = args[0].split("@")
    elif len(args) == 2:
    account, hostname = args
    else:
    raise ValueError("""
    PassDB.get_entry :: Too many arguments
    usage(1): get_entry(account, hostname)
    usage(2): get_entry("account@hostname")""")
    if(getattr(self, "password") is None):
    raise ValueError("Cannot get entry when PassDB instance password is None")
    if(len(self.data)) == 0:
    return None
    for index, entry in self.data.iterrows():
    if entry["account"] == account and entry["hostname"] == hostname:
    return entry
    return None

    def get_password(self, *args):
    if len(args) == 1:
    account, hostname = args[0].split("@")
    elif len(args) == 2:
    account, hostname = args
    else:
    raise ValueError("""
    PassDB.get_password :: Too many arguments
    usage(1): get_password(account, hostname)
    usage(2): get_password("account@hostname")""")

    entry = self.get_entry(account, hostname)
    if isinstance(entry["password"], str):
    return self._decrypt(entry["password"], self.settings["salt"], entry["salt"], entry["hash_depth"])
    raise ValueError("Password for account@hostname in unexpected format".format(**entry))
    ```









    share|improve this question









    $endgroup$














      5












      5








      5


      2



      $begingroup$


      I am writing a python password manager, and I know there's a lot of scrutiny that goes into storing passwords (don't worry, mine aren't plaintext). I was hoping that this community could help me improve style, use of libraries, or anything else. Any and all pointers are gladly accepted.



      There were a few ideas that I implemented here:



      • encrypting each password with a unique salt, even in memory

      • encrypting each database with a unique salt when they are stored long-term

      • be able to save to a database file (custom format)

      • be able to read from a database file (custom format)

      I know that there are a lot of services that do this kind of thing already, but I thought I'd give it a spin, to learn and have fun. Some samples of how to use the library are provided by the runner file.



      runner:



      import sys, os
      from .passdb import PassDB

      if __name__ == "__main__":
      a = PassDB()
      # print(a)
      a.password = "password"
      a.set_entry("user", "localhost", "sample_password")
      # print(a.enc_str())
      a_copy = PassDB.open_db(a.enc_str(), "password")
      # print(a_copy.password)
      if a_copy is not None:
      print(a_copy.get_entry("user@localhost"))
      print(a_copy.get_password("user@localhost"))
      a_copy.save_as("tmp.passdb", "sample Password")



      passdb.py:



      import base64
      import hashlib
      import pandas
      from Crypto import Random
      from Crypto.Cipher import AES
      import json
      import re
      from io import StringIO
      import datetime


      class PassDB(object):

      _valid_init_fields = ["data", "path", "password", "settings"]
      version = "Version 0.0.1"
      settings: dict
      data: pandas.DataFrame
      _defaults =
      "salt_size": 64,
      "block_size": 32, # Using AES256
      "enc_sample_content": "The provided password is correct",
      "salt": None,
      "path": None,
      "hash_depth": 9


      _format = """### PYPASSMAN version ###
      settings
      ### SAMPLE ###
      enc_sample
      ### DATA ###
      data
      """

      def __init__(self, *args, **kwargs):
      if len(args) > 3:
      raise TypeError("Too Many Arguments")
      if len(args) > 2:
      self.data = args[2]
      else:
      self.data = None
      if len(args) > 1:
      self.password = args[1]
      else:
      self.password = None
      if len(args) > 0:
      self.path = args[0]
      else:
      self.path = None

      for key, arg in kwargs.items():
      if key in self._valid_init_fields:
      setattr(self, key, arg)

      if self.data is None:
      self.data = pandas.DataFrame(
      columns=[
      "account",
      "hostname",
      "salt",
      "password",
      "hash_depth",
      "dateModified",
      "dateCreated"
      ]
      )

      if getattr(self, "settings", None) is None:
      self.settings = self._defaults.copy()
      if self.settings.get("salt", None) is None:
      self.settings["salt"] = base64.b64encode(Random.new().read(
      self.settings["salt_size"]
      )).decode("utf-8")

      for key in self._defaults.keys():
      if key not in self.settings:
      self.settings[key] = self._defaults[key]

      @classmethod
      def open_db(cls, raw, password):
      settings, sample, data = (*map(
      lambda string: string.strip(),
      re.split(r"###.*###n", raw)[1:]
      ),)
      settings = json.loads(settings)
      sample = cls._decrypt(sample, password, settings["salt"], settings["hash_depth"])
      if not sample == settings["enc_sample_content"]:
      raise ValueError(
      "Cannot open PassDB: incorrect password provided")
      data = cls._decrypt(data, password, settings["salt"], settings["hash_depth"])
      data = pandas.read_csv(StringIO(data))
      output = cls(
      settings=settings,
      data=data,
      password=password
      )
      return output

      def save_as(self, path, password):
      settings_cp = self.settings.copy()
      settings_cp["path"] = path
      new_dict = self.__class__(
      data = self.data,
      path = path,
      password = password,
      settings = settings_cp
      )
      new_dict.save()
      return True

      def save(self):
      with open(self.path, "w+") as dest:
      enc_data = self._encrypt(
      self.data.to_csv(index_label="index"),
      self.password, self.settings["salt"],
      self.settings["hash_depth"]
      )
      enc_sample = self._encrypt(
      self.settings["enc_sample_content"],
      self.password, self.settings["salt"],
      self.settings["hash_depth"])
      dest.write(self._format.format(
      version=str(self.version),
      settings=json.dumps(self.settings),
      data=enc_data,
      enc_sample=enc_sample
      ))

      @classmethod
      def _encrypt(cls, raw, password, salt, hash_depth):
      raw = cls._pad(raw)
      iv = Random.new().read(AES.block_size)
      salt = base64.b64decode(salt)
      key = hashlib.sha256(
      str(password).encode() + salt
      ).digest()
      for i in range(hash_depth):
      key = hashlib.sha256(key + salt).digest()
      cipher = AES.new(key, AES.MODE_CBC, iv)
      return base64.b64encode(iv + cipher.encrypt(raw)).decode("utf-8")

      @classmethod
      def _decrypt(cls, enc, password, salt, hash_depth):
      enc = base64.b64decode(enc)
      iv = enc[:AES.block_size]
      salt = base64.b64decode(salt)
      key = hashlib.sha256(
      password.encode() + salt
      ).digest()
      for i in range(hash_depth):
      key = hashlib.sha256(key + salt).digest()

      cipher = AES.new(key, AES.MODE_CBC, iv)
      try:
      return cls._unpad(
      cipher.decrypt(
      enc[AES.block_size:]
      )
      ).decode('utf-8')
      except UnicodeDecodeError:
      raise ValueError("Incorrect Password")

      @classmethod
      def _pad(cls, s):
      bs = cls._defaults["block_size"]
      return (
      s + (bs - len(s) % bs) *
      chr(bs - len(s) % bs)
      )

      @staticmethod
      def _unpad(s):
      return s[:-ord(s[len(s)-1:])]

      def enc_str(self):
      enc_data = self._encrypt(
      self.data.to_csv(index_label="index"),
      self.password, self.settings["salt"],
      self.settings["hash_depth"]
      )
      enc_sample = self._encrypt(
      self.settings["enc_sample_content"],
      self.password, self.settings["salt"],
      self.settings["hash_depth"]
      )
      return (self._format.format(
      version=str(self.version),
      enc_sample=enc_sample,
      settings=json.dumps(self.settings),
      data=enc_data
      ))

      def __str__(self):
      path = self.settings["path"]
      return "PassDB < entries>".format(
      len(self.data),
      " at ''".format(path) if path is not None else ""
      )

      def set_entry(self, *args):
      account, hostname, password = None, None, None
      if len(args) == 1:
      account, hostname_password = args[0].split("@")
      hostname, password, other = hostname_password.split(":")
      elif len(args) == 2:
      account_hostname, password = args
      account, hostname = account_hostname.split("@")
      elif len(args) == 3:
      account, hostname, password = args
      else:
      raise ValueError("""
      PassDB.set_entry :: Too many arguments
      usage(1): get_password(account, hostname, password)
      usage(2): get_password("account@hostname", password)
      usage(3): get_password("account@hostname:password") """
      )

      for char in (":", "@"):
      for item in account, hostname, password:
      if char in item:
      raise ValueError("""
      account, hostname, and password cannot contain colon (:) or at symbol (@)""")

      if len(self.data) > 0:
      for index, entry in self.data.iterrows():
      if entry["account"] == account and entry["hostname"] == hostname:
      salt = base64.b64encode(Random.new().read(
      self.settings["salt_size"]
      )).decode("utf-8")
      password = self._encrypt(
      password,
      self.settings["salt"],
      salt,
      self.settings["hash_depth"]
      )
      self.data.loc[index] = (
      account, hostname,
      salt, password,
      self.settings["hash_depth"],
      str(datetime.datetime.utcnow().isoformat()),
      str(datetime.datetime.utcnow().isoformat())
      )
      else:
      salt = base64.b64encode(Random.new().read(
      self.settings["salt_size"]
      )).decode("utf-8")
      password = self._encrypt(
      password,
      self.settings["salt"],
      salt,
      self.settings["hash_depth"]
      )
      self.data.loc[0] = (
      account,
      hostname,
      salt,
      password,
      self.settings["hash_depth"],
      str(datetime.datetime.utcnow().isoformat()),
      str(datetime.datetime.utcnow().isoformat())
      )

      def get_entry(self, *args):
      if len(args) == 1:
      account, hostname = args[0].split("@")
      elif len(args) == 2:
      account, hostname = args
      else:
      raise ValueError("""
      PassDB.get_entry :: Too many arguments
      usage(1): get_entry(account, hostname)
      usage(2): get_entry("account@hostname")""")
      if(getattr(self, "password") is None):
      raise ValueError("Cannot get entry when PassDB instance password is None")
      if(len(self.data)) == 0:
      return None
      for index, entry in self.data.iterrows():
      if entry["account"] == account and entry["hostname"] == hostname:
      return entry
      return None

      def get_password(self, *args):
      if len(args) == 1:
      account, hostname = args[0].split("@")
      elif len(args) == 2:
      account, hostname = args
      else:
      raise ValueError("""
      PassDB.get_password :: Too many arguments
      usage(1): get_password(account, hostname)
      usage(2): get_password("account@hostname")""")

      entry = self.get_entry(account, hostname)
      if isinstance(entry["password"], str):
      return self._decrypt(entry["password"], self.settings["salt"], entry["salt"], entry["hash_depth"])
      raise ValueError("Password for account@hostname in unexpected format".format(**entry))
      ```









      share|improve this question









      $endgroup$




      I am writing a python password manager, and I know there's a lot of scrutiny that goes into storing passwords (don't worry, mine aren't plaintext). I was hoping that this community could help me improve style, use of libraries, or anything else. Any and all pointers are gladly accepted.



      There were a few ideas that I implemented here:



      • encrypting each password with a unique salt, even in memory

      • encrypting each database with a unique salt when they are stored long-term

      • be able to save to a database file (custom format)

      • be able to read from a database file (custom format)

      I know that there are a lot of services that do this kind of thing already, but I thought I'd give it a spin, to learn and have fun. Some samples of how to use the library are provided by the runner file.



      runner:



      import sys, os
      from .passdb import PassDB

      if __name__ == "__main__":
      a = PassDB()
      # print(a)
      a.password = "password"
      a.set_entry("user", "localhost", "sample_password")
      # print(a.enc_str())
      a_copy = PassDB.open_db(a.enc_str(), "password")
      # print(a_copy.password)
      if a_copy is not None:
      print(a_copy.get_entry("user@localhost"))
      print(a_copy.get_password("user@localhost"))
      a_copy.save_as("tmp.passdb", "sample Password")



      passdb.py:



      import base64
      import hashlib
      import pandas
      from Crypto import Random
      from Crypto.Cipher import AES
      import json
      import re
      from io import StringIO
      import datetime


      class PassDB(object):

      _valid_init_fields = ["data", "path", "password", "settings"]
      version = "Version 0.0.1"
      settings: dict
      data: pandas.DataFrame
      _defaults =
      "salt_size": 64,
      "block_size": 32, # Using AES256
      "enc_sample_content": "The provided password is correct",
      "salt": None,
      "path": None,
      "hash_depth": 9


      _format = """### PYPASSMAN version ###
      settings
      ### SAMPLE ###
      enc_sample
      ### DATA ###
      data
      """

      def __init__(self, *args, **kwargs):
      if len(args) > 3:
      raise TypeError("Too Many Arguments")
      if len(args) > 2:
      self.data = args[2]
      else:
      self.data = None
      if len(args) > 1:
      self.password = args[1]
      else:
      self.password = None
      if len(args) > 0:
      self.path = args[0]
      else:
      self.path = None

      for key, arg in kwargs.items():
      if key in self._valid_init_fields:
      setattr(self, key, arg)

      if self.data is None:
      self.data = pandas.DataFrame(
      columns=[
      "account",
      "hostname",
      "salt",
      "password",
      "hash_depth",
      "dateModified",
      "dateCreated"
      ]
      )

      if getattr(self, "settings", None) is None:
      self.settings = self._defaults.copy()
      if self.settings.get("salt", None) is None:
      self.settings["salt"] = base64.b64encode(Random.new().read(
      self.settings["salt_size"]
      )).decode("utf-8")

      for key in self._defaults.keys():
      if key not in self.settings:
      self.settings[key] = self._defaults[key]

      @classmethod
      def open_db(cls, raw, password):
      settings, sample, data = (*map(
      lambda string: string.strip(),
      re.split(r"###.*###n", raw)[1:]
      ),)
      settings = json.loads(settings)
      sample = cls._decrypt(sample, password, settings["salt"], settings["hash_depth"])
      if not sample == settings["enc_sample_content"]:
      raise ValueError(
      "Cannot open PassDB: incorrect password provided")
      data = cls._decrypt(data, password, settings["salt"], settings["hash_depth"])
      data = pandas.read_csv(StringIO(data))
      output = cls(
      settings=settings,
      data=data,
      password=password
      )
      return output

      def save_as(self, path, password):
      settings_cp = self.settings.copy()
      settings_cp["path"] = path
      new_dict = self.__class__(
      data = self.data,
      path = path,
      password = password,
      settings = settings_cp
      )
      new_dict.save()
      return True

      def save(self):
      with open(self.path, "w+") as dest:
      enc_data = self._encrypt(
      self.data.to_csv(index_label="index"),
      self.password, self.settings["salt"],
      self.settings["hash_depth"]
      )
      enc_sample = self._encrypt(
      self.settings["enc_sample_content"],
      self.password, self.settings["salt"],
      self.settings["hash_depth"])
      dest.write(self._format.format(
      version=str(self.version),
      settings=json.dumps(self.settings),
      data=enc_data,
      enc_sample=enc_sample
      ))

      @classmethod
      def _encrypt(cls, raw, password, salt, hash_depth):
      raw = cls._pad(raw)
      iv = Random.new().read(AES.block_size)
      salt = base64.b64decode(salt)
      key = hashlib.sha256(
      str(password).encode() + salt
      ).digest()
      for i in range(hash_depth):
      key = hashlib.sha256(key + salt).digest()
      cipher = AES.new(key, AES.MODE_CBC, iv)
      return base64.b64encode(iv + cipher.encrypt(raw)).decode("utf-8")

      @classmethod
      def _decrypt(cls, enc, password, salt, hash_depth):
      enc = base64.b64decode(enc)
      iv = enc[:AES.block_size]
      salt = base64.b64decode(salt)
      key = hashlib.sha256(
      password.encode() + salt
      ).digest()
      for i in range(hash_depth):
      key = hashlib.sha256(key + salt).digest()

      cipher = AES.new(key, AES.MODE_CBC, iv)
      try:
      return cls._unpad(
      cipher.decrypt(
      enc[AES.block_size:]
      )
      ).decode('utf-8')
      except UnicodeDecodeError:
      raise ValueError("Incorrect Password")

      @classmethod
      def _pad(cls, s):
      bs = cls._defaults["block_size"]
      return (
      s + (bs - len(s) % bs) *
      chr(bs - len(s) % bs)
      )

      @staticmethod
      def _unpad(s):
      return s[:-ord(s[len(s)-1:])]

      def enc_str(self):
      enc_data = self._encrypt(
      self.data.to_csv(index_label="index"),
      self.password, self.settings["salt"],
      self.settings["hash_depth"]
      )
      enc_sample = self._encrypt(
      self.settings["enc_sample_content"],
      self.password, self.settings["salt"],
      self.settings["hash_depth"]
      )
      return (self._format.format(
      version=str(self.version),
      enc_sample=enc_sample,
      settings=json.dumps(self.settings),
      data=enc_data
      ))

      def __str__(self):
      path = self.settings["path"]
      return "PassDB < entries>".format(
      len(self.data),
      " at ''".format(path) if path is not None else ""
      )

      def set_entry(self, *args):
      account, hostname, password = None, None, None
      if len(args) == 1:
      account, hostname_password = args[0].split("@")
      hostname, password, other = hostname_password.split(":")
      elif len(args) == 2:
      account_hostname, password = args
      account, hostname = account_hostname.split("@")
      elif len(args) == 3:
      account, hostname, password = args
      else:
      raise ValueError("""
      PassDB.set_entry :: Too many arguments
      usage(1): get_password(account, hostname, password)
      usage(2): get_password("account@hostname", password)
      usage(3): get_password("account@hostname:password") """
      )

      for char in (":", "@"):
      for item in account, hostname, password:
      if char in item:
      raise ValueError("""
      account, hostname, and password cannot contain colon (:) or at symbol (@)""")

      if len(self.data) > 0:
      for index, entry in self.data.iterrows():
      if entry["account"] == account and entry["hostname"] == hostname:
      salt = base64.b64encode(Random.new().read(
      self.settings["salt_size"]
      )).decode("utf-8")
      password = self._encrypt(
      password,
      self.settings["salt"],
      salt,
      self.settings["hash_depth"]
      )
      self.data.loc[index] = (
      account, hostname,
      salt, password,
      self.settings["hash_depth"],
      str(datetime.datetime.utcnow().isoformat()),
      str(datetime.datetime.utcnow().isoformat())
      )
      else:
      salt = base64.b64encode(Random.new().read(
      self.settings["salt_size"]
      )).decode("utf-8")
      password = self._encrypt(
      password,
      self.settings["salt"],
      salt,
      self.settings["hash_depth"]
      )
      self.data.loc[0] = (
      account,
      hostname,
      salt,
      password,
      self.settings["hash_depth"],
      str(datetime.datetime.utcnow().isoformat()),
      str(datetime.datetime.utcnow().isoformat())
      )

      def get_entry(self, *args):
      if len(args) == 1:
      account, hostname = args[0].split("@")
      elif len(args) == 2:
      account, hostname = args
      else:
      raise ValueError("""
      PassDB.get_entry :: Too many arguments
      usage(1): get_entry(account, hostname)
      usage(2): get_entry("account@hostname")""")
      if(getattr(self, "password") is None):
      raise ValueError("Cannot get entry when PassDB instance password is None")
      if(len(self.data)) == 0:
      return None
      for index, entry in self.data.iterrows():
      if entry["account"] == account and entry["hostname"] == hostname:
      return entry
      return None

      def get_password(self, *args):
      if len(args) == 1:
      account, hostname = args[0].split("@")
      elif len(args) == 2:
      account, hostname = args
      else:
      raise ValueError("""
      PassDB.get_password :: Too many arguments
      usage(1): get_password(account, hostname)
      usage(2): get_password("account@hostname")""")

      entry = self.get_entry(account, hostname)
      if isinstance(entry["password"], str):
      return self._decrypt(entry["password"], self.settings["salt"], entry["salt"], entry["hash_depth"])
      raise ValueError("Password for account@hostname in unexpected format".format(**entry))
      ```






      python python-3.x security aes






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 8 hours ago









      David CulbrethDavid Culbreth

      1485




      1485




















          1 Answer
          1






          active

          oldest

          votes


















          6












          $begingroup$

          Some general tips:



          1. The runner should use argparse to parse arguments. It most definitely should not hardcode passwords.


          2. (object) is redundant in Python 3 class definitions.


          3. I'd recommend running any Python code through Black, flake8 and mypy with a strict configuration like this one:



            [flake8]
            doctests = true
            exclude =
            .git
            max-complexity = 5
            max-line-length = 120
            ignore = W503,E203

            [mypy]
            check_untyped_defs = true
            disallow_untyped_defs = true
            ignore_missing_imports = true
            no_implicit_optional = true
            warn_redundant_casts = true
            warn_return_any = true
            warn_unused_ignores = true


          4. You reuse variable names with completely different semantics. This is a really bad idea for understanding what the code is doing and following along even otherwise trivial logic.

          5. Names should be descriptive, for example password_database = PasswordDatabase().

          6. Don't use *args and **kwargs unless you need dynamic parameter lists. Rather than indexing *args you should use named parameters. If they have default values those should go in the method signature.


          7. .get(foo, None) can be simplified to .get(foo) - get() returns None by default.


          8. if foo is None can in the vast majority of cases be changed to the more idiomatic if foo.

          9. I would highly recommend using a well-known open format such as the KeePass one for storing this data.


          10. This should not be in there:



            if not sample == settings["enc_sample_content"]:
            raise ValueError(
            "Cannot open PassDB: incorrect password provided")


          11. There is a lot of encoding and decoding happening, which greatly obfuscates the state and looks unnecessary in several places.

          12. I would not trust this sort of code without a comprehensive test suite.

          With the caveat that I'm not a cryptographer:



          1. Salting does not make sense unless you're hashing the password (which you don't want to do in this case). I'll refrain from any other comments on how the salting is done unless someone corrects this.





          share|improve this answer











          $endgroup$












          • $begingroup$
            I support your note on salting symmetrically encrypted passwords. The random IV in AES CBC should be functionaly equivalent. (Disclaimer: also not a cryptographer here)
            $endgroup$
            – AlexV
            2 hours ago










          • $begingroup$
            +1 for #4 implying the validity of variable reuse in cases of tight semantic relevance
            $endgroup$
            – Samy Bencherif
            4 mins ago











          Your Answer






          StackExchange.ifUsing("editor", function ()
          StackExchange.using("externalEditor", function ()
          StackExchange.using("snippets", function ()
          StackExchange.snippets.init();
          );
          );
          , "code-snippets");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "196"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f219400%2fpython-password-manager%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          6












          $begingroup$

          Some general tips:



          1. The runner should use argparse to parse arguments. It most definitely should not hardcode passwords.


          2. (object) is redundant in Python 3 class definitions.


          3. I'd recommend running any Python code through Black, flake8 and mypy with a strict configuration like this one:



            [flake8]
            doctests = true
            exclude =
            .git
            max-complexity = 5
            max-line-length = 120
            ignore = W503,E203

            [mypy]
            check_untyped_defs = true
            disallow_untyped_defs = true
            ignore_missing_imports = true
            no_implicit_optional = true
            warn_redundant_casts = true
            warn_return_any = true
            warn_unused_ignores = true


          4. You reuse variable names with completely different semantics. This is a really bad idea for understanding what the code is doing and following along even otherwise trivial logic.

          5. Names should be descriptive, for example password_database = PasswordDatabase().

          6. Don't use *args and **kwargs unless you need dynamic parameter lists. Rather than indexing *args you should use named parameters. If they have default values those should go in the method signature.


          7. .get(foo, None) can be simplified to .get(foo) - get() returns None by default.


          8. if foo is None can in the vast majority of cases be changed to the more idiomatic if foo.

          9. I would highly recommend using a well-known open format such as the KeePass one for storing this data.


          10. This should not be in there:



            if not sample == settings["enc_sample_content"]:
            raise ValueError(
            "Cannot open PassDB: incorrect password provided")


          11. There is a lot of encoding and decoding happening, which greatly obfuscates the state and looks unnecessary in several places.

          12. I would not trust this sort of code without a comprehensive test suite.

          With the caveat that I'm not a cryptographer:



          1. Salting does not make sense unless you're hashing the password (which you don't want to do in this case). I'll refrain from any other comments on how the salting is done unless someone corrects this.





          share|improve this answer











          $endgroup$












          • $begingroup$
            I support your note on salting symmetrically encrypted passwords. The random IV in AES CBC should be functionaly equivalent. (Disclaimer: also not a cryptographer here)
            $endgroup$
            – AlexV
            2 hours ago










          • $begingroup$
            +1 for #4 implying the validity of variable reuse in cases of tight semantic relevance
            $endgroup$
            – Samy Bencherif
            4 mins ago















          6












          $begingroup$

          Some general tips:



          1. The runner should use argparse to parse arguments. It most definitely should not hardcode passwords.


          2. (object) is redundant in Python 3 class definitions.


          3. I'd recommend running any Python code through Black, flake8 and mypy with a strict configuration like this one:



            [flake8]
            doctests = true
            exclude =
            .git
            max-complexity = 5
            max-line-length = 120
            ignore = W503,E203

            [mypy]
            check_untyped_defs = true
            disallow_untyped_defs = true
            ignore_missing_imports = true
            no_implicit_optional = true
            warn_redundant_casts = true
            warn_return_any = true
            warn_unused_ignores = true


          4. You reuse variable names with completely different semantics. This is a really bad idea for understanding what the code is doing and following along even otherwise trivial logic.

          5. Names should be descriptive, for example password_database = PasswordDatabase().

          6. Don't use *args and **kwargs unless you need dynamic parameter lists. Rather than indexing *args you should use named parameters. If they have default values those should go in the method signature.


          7. .get(foo, None) can be simplified to .get(foo) - get() returns None by default.


          8. if foo is None can in the vast majority of cases be changed to the more idiomatic if foo.

          9. I would highly recommend using a well-known open format such as the KeePass one for storing this data.


          10. This should not be in there:



            if not sample == settings["enc_sample_content"]:
            raise ValueError(
            "Cannot open PassDB: incorrect password provided")


          11. There is a lot of encoding and decoding happening, which greatly obfuscates the state and looks unnecessary in several places.

          12. I would not trust this sort of code without a comprehensive test suite.

          With the caveat that I'm not a cryptographer:



          1. Salting does not make sense unless you're hashing the password (which you don't want to do in this case). I'll refrain from any other comments on how the salting is done unless someone corrects this.





          share|improve this answer











          $endgroup$












          • $begingroup$
            I support your note on salting symmetrically encrypted passwords. The random IV in AES CBC should be functionaly equivalent. (Disclaimer: also not a cryptographer here)
            $endgroup$
            – AlexV
            2 hours ago










          • $begingroup$
            +1 for #4 implying the validity of variable reuse in cases of tight semantic relevance
            $endgroup$
            – Samy Bencherif
            4 mins ago













          6












          6








          6





          $begingroup$

          Some general tips:



          1. The runner should use argparse to parse arguments. It most definitely should not hardcode passwords.


          2. (object) is redundant in Python 3 class definitions.


          3. I'd recommend running any Python code through Black, flake8 and mypy with a strict configuration like this one:



            [flake8]
            doctests = true
            exclude =
            .git
            max-complexity = 5
            max-line-length = 120
            ignore = W503,E203

            [mypy]
            check_untyped_defs = true
            disallow_untyped_defs = true
            ignore_missing_imports = true
            no_implicit_optional = true
            warn_redundant_casts = true
            warn_return_any = true
            warn_unused_ignores = true


          4. You reuse variable names with completely different semantics. This is a really bad idea for understanding what the code is doing and following along even otherwise trivial logic.

          5. Names should be descriptive, for example password_database = PasswordDatabase().

          6. Don't use *args and **kwargs unless you need dynamic parameter lists. Rather than indexing *args you should use named parameters. If they have default values those should go in the method signature.


          7. .get(foo, None) can be simplified to .get(foo) - get() returns None by default.


          8. if foo is None can in the vast majority of cases be changed to the more idiomatic if foo.

          9. I would highly recommend using a well-known open format such as the KeePass one for storing this data.


          10. This should not be in there:



            if not sample == settings["enc_sample_content"]:
            raise ValueError(
            "Cannot open PassDB: incorrect password provided")


          11. There is a lot of encoding and decoding happening, which greatly obfuscates the state and looks unnecessary in several places.

          12. I would not trust this sort of code without a comprehensive test suite.

          With the caveat that I'm not a cryptographer:



          1. Salting does not make sense unless you're hashing the password (which you don't want to do in this case). I'll refrain from any other comments on how the salting is done unless someone corrects this.





          share|improve this answer











          $endgroup$



          Some general tips:



          1. The runner should use argparse to parse arguments. It most definitely should not hardcode passwords.


          2. (object) is redundant in Python 3 class definitions.


          3. I'd recommend running any Python code through Black, flake8 and mypy with a strict configuration like this one:



            [flake8]
            doctests = true
            exclude =
            .git
            max-complexity = 5
            max-line-length = 120
            ignore = W503,E203

            [mypy]
            check_untyped_defs = true
            disallow_untyped_defs = true
            ignore_missing_imports = true
            no_implicit_optional = true
            warn_redundant_casts = true
            warn_return_any = true
            warn_unused_ignores = true


          4. You reuse variable names with completely different semantics. This is a really bad idea for understanding what the code is doing and following along even otherwise trivial logic.

          5. Names should be descriptive, for example password_database = PasswordDatabase().

          6. Don't use *args and **kwargs unless you need dynamic parameter lists. Rather than indexing *args you should use named parameters. If they have default values those should go in the method signature.


          7. .get(foo, None) can be simplified to .get(foo) - get() returns None by default.


          8. if foo is None can in the vast majority of cases be changed to the more idiomatic if foo.

          9. I would highly recommend using a well-known open format such as the KeePass one for storing this data.


          10. This should not be in there:



            if not sample == settings["enc_sample_content"]:
            raise ValueError(
            "Cannot open PassDB: incorrect password provided")


          11. There is a lot of encoding and decoding happening, which greatly obfuscates the state and looks unnecessary in several places.

          12. I would not trust this sort of code without a comprehensive test suite.

          With the caveat that I'm not a cryptographer:



          1. Salting does not make sense unless you're hashing the password (which you don't want to do in this case). I'll refrain from any other comments on how the salting is done unless someone corrects this.






          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 5 hours ago

























          answered 5 hours ago









          l0b0l0b0

          4,6991023




          4,6991023











          • $begingroup$
            I support your note on salting symmetrically encrypted passwords. The random IV in AES CBC should be functionaly equivalent. (Disclaimer: also not a cryptographer here)
            $endgroup$
            – AlexV
            2 hours ago










          • $begingroup$
            +1 for #4 implying the validity of variable reuse in cases of tight semantic relevance
            $endgroup$
            – Samy Bencherif
            4 mins ago
















          • $begingroup$
            I support your note on salting symmetrically encrypted passwords. The random IV in AES CBC should be functionaly equivalent. (Disclaimer: also not a cryptographer here)
            $endgroup$
            – AlexV
            2 hours ago










          • $begingroup$
            +1 for #4 implying the validity of variable reuse in cases of tight semantic relevance
            $endgroup$
            – Samy Bencherif
            4 mins ago















          $begingroup$
          I support your note on salting symmetrically encrypted passwords. The random IV in AES CBC should be functionaly equivalent. (Disclaimer: also not a cryptographer here)
          $endgroup$
          – AlexV
          2 hours ago




          $begingroup$
          I support your note on salting symmetrically encrypted passwords. The random IV in AES CBC should be functionaly equivalent. (Disclaimer: also not a cryptographer here)
          $endgroup$
          – AlexV
          2 hours ago












          $begingroup$
          +1 for #4 implying the validity of variable reuse in cases of tight semantic relevance
          $endgroup$
          – Samy Bencherif
          4 mins ago




          $begingroup$
          +1 for #4 implying the validity of variable reuse in cases of tight semantic relevance
          $endgroup$
          – Samy Bencherif
          4 mins ago

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Code Review Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          Use MathJax to format equations. MathJax reference.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f219400%2fpython-password-manager%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Færeyskur hestur Heimild | Tengill | Tilvísanir | LeiðsagnarvalRossið - síða um færeyska hrossið á færeyskuGott ár hjá færeyska hestinum

          He _____ here since 1970 . Answer needed [closed]What does “since he was so high” mean?Meaning of “catch birds for”?How do I ensure “since” takes the meaning I want?“Who cares here” meaningWhat does “right round toward” mean?the time tense (had now been detected)What does the phrase “ring around the roses” mean here?Correct usage of “visited upon”Meaning of “foiled rail sabotage bid”It was the third time I had gone to Rome or It is the third time I had been to Rome

          Slayer Innehåll Historia | Stil, komposition och lyrik | Bandets betydelse och framgångar | Sidoprojekt och samarbeten | Kontroverser | Medlemmar | Utmärkelser och nomineringar | Turnéer och festivaler | Diskografi | Referenser | Externa länkar | Navigeringsmenywww.slayer.net”Metal Massacre vol. 1””Metal Massacre vol. 3””Metal Massacre Volume III””Show No Mercy””Haunting the Chapel””Live Undead””Hell Awaits””Reign in Blood””Reign in Blood””Gold & Platinum – Reign in Blood””Golden Gods Awards Winners”originalet”Kerrang! Hall Of Fame””Slayer Looks Back On 37-Year Career In New Video Series: Part Two””South of Heaven””Gold & Platinum – South of Heaven””Seasons in the Abyss””Gold & Platinum - Seasons in the Abyss””Divine Intervention””Divine Intervention - Release group by Slayer””Gold & Platinum - Divine Intervention””Live Intrusion””Undisputed Attitude””Abolish Government/Superficial Love””Release “Slatanic Slaughter: A Tribute to Slayer” by Various Artists””Diabolus in Musica””Soundtrack to the Apocalypse””God Hates Us All””Systematic - Relationships””War at the Warfield””Gold & Platinum - War at the Warfield””Soundtrack to the Apocalypse””Gold & Platinum - Still Reigning””Metallica, Slayer, Iron Mauden Among Winners At Metal Hammer Awards””Eternal Pyre””Eternal Pyre - Slayer release group””Eternal Pyre””Metal Storm Awards 2006””Kerrang! Hall Of Fame””Slayer Wins 'Best Metal' Grammy Award””Slayer Guitarist Jeff Hanneman Dies””Bullet-For My Valentine booed at Metal Hammer Golden Gods Awards””Unholy Aliance””The End Of Slayer?””Slayer: We Could Thrash Out Two More Albums If We're Fast Enough...””'The Unholy Alliance: Chapter III' UK Dates Added”originalet”Megadeth And Slayer To Co-Headline 'Canadian Carnage' Trek”originalet”World Painted Blood””Release “World Painted Blood” by Slayer””Metallica Heading To Cinemas””Slayer, Megadeth To Join Forces For 'European Carnage' Tour - Dec. 18, 2010”originalet”Slayer's Hanneman Contracts Acute Infection; Band To Bring In Guest Guitarist””Cannibal Corpse's Pat O'Brien Will Step In As Slayer's Guest Guitarist”originalet”Slayer’s Jeff Hanneman Dead at 49””Dave Lombardo Says He Made Only $67,000 In 2011 While Touring With Slayer””Slayer: We Do Not Agree With Dave Lombardo's Substance Or Timeline Of Events””Slayer Welcomes Drummer Paul Bostaph Back To The Fold””Slayer Hope to Unveil Never-Before-Heard Jeff Hanneman Material on Next Album””Slayer Debut New Song 'Implode' During Surprise Golden Gods Appearance””Release group Repentless by Slayer””Repentless - Slayer - Credits””Slayer””Metal Storm Awards 2015””Slayer - to release comic book "Repentless #1"””Slayer To Release 'Repentless' 6.66" Vinyl Box Set””BREAKING NEWS: Slayer Announce Farewell Tour””Slayer Recruit Lamb of God, Anthrax, Behemoth + Testament for Final Tour””Slayer lägger ner efter 37 år””Slayer Announces Second North American Leg Of 'Final' Tour””Final World Tour””Slayer Announces Final European Tour With Lamb of God, Anthrax And Obituary””Slayer To Tour Europe With Lamb of God, Anthrax And Obituary””Slayer To Play 'Last French Show Ever' At Next Year's Hellfst””Slayer's Final World Tour Will Extend Into 2019””Death Angel's Rob Cavestany On Slayer's 'Farewell' Tour: 'Some Of Us Could See This Coming'””Testament Has No Plans To Retire Anytime Soon, Says Chuck Billy””Anthrax's Scott Ian On Slayer's 'Farewell' Tour Plans: 'I Was Surprised And I Wasn't Surprised'””Slayer””Slayer's Morbid Schlock””Review/Rock; For Slayer, the Mania Is the Message””Slayer - Biography””Slayer - Reign In Blood”originalet”Dave Lombardo””An exclusive oral history of Slayer”originalet”Exclusive! Interview With Slayer Guitarist Jeff Hanneman”originalet”Thinking Out Loud: Slayer's Kerry King on hair metal, Satan and being polite””Slayer Lyrics””Slayer - Biography””Most influential artists for extreme metal music””Slayer - Reign in Blood””Slayer guitarist Jeff Hanneman dies aged 49””Slatanic Slaughter: A Tribute to Slayer””Gateway to Hell: A Tribute to Slayer””Covered In Blood””Slayer: The Origins of Thrash in San Francisco, CA.””Why They Rule - #6 Slayer”originalet”Guitar World's 100 Greatest Heavy Metal Guitarists Of All Time”originalet”The fans have spoken: Slayer comes out on top in readers' polls”originalet”Tribute to Jeff Hanneman (1964-2013)””Lamb Of God Frontman: We Sound Like A Slayer Rip-Off””BEHEMOTH Frontman Pays Tribute To SLAYER's JEFF HANNEMAN””Slayer, Hatebreed Doing Double Duty On This Year's Ozzfest””System of a Down””Lacuna Coil’s Andrea Ferro Talks Influences, Skateboarding, Band Origins + More””Slayer - Reign in Blood””Into The Lungs of Hell””Slayer rules - en utställning om fans””Slayer and Their Fans Slashed Through a No-Holds-Barred Night at Gas Monkey””Home””Slayer””Gold & Platinum - The Big 4 Live from Sofia, Bulgaria””Exclusive! Interview With Slayer Guitarist Kerry King””2008-02-23: Wiltern, Los Angeles, CA, USA””Slayer's Kerry King To Perform With Megadeth Tonight! - Oct. 21, 2010”originalet”Dave Lombardo - Biography”Slayer Case DismissedArkiveradUltimate Classic Rock: Slayer guitarist Jeff Hanneman dead at 49.”Slayer: "We could never do any thing like Some Kind Of Monster..."””Cannibal Corpse'S Pat O'Brien Will Step In As Slayer'S Guest Guitarist | The Official Slayer Site”originalet”Slayer Wins 'Best Metal' Grammy Award””Slayer Guitarist Jeff Hanneman Dies””Kerrang! Awards 2006 Blog: Kerrang! Hall Of Fame””Kerrang! Awards 2013: Kerrang! Legend”originalet”Metallica, Slayer, Iron Maien Among Winners At Metal Hammer Awards””Metal Hammer Golden Gods Awards””Bullet For My Valentine Booed At Metal Hammer Golden Gods Awards””Metal Storm Awards 2006””Metal Storm Awards 2015””Slayer's Concert History””Slayer - Relationships””Slayer - Releases”Slayers officiella webbplatsSlayer på MusicBrainzOfficiell webbplatsSlayerSlayerr1373445760000 0001 1540 47353068615-5086262726cb13906545x(data)6033143kn20030215029