Login/Register
How is python-keyring implemented on Windows?
Asked Answered
pythonwindowssecuritypython-keyring
F

4

22

How does python-keyring provide security on Windows?

In GNOME/KDE on Linux, the user is prompted to enter his password to authorize access to the keyring on a per-application basis.

In Windows there is no such prompt when an application accesses the keyring. What is stopping a random python application to retrieve a password from the keyring by running 

import keyring
get_password(service, username)

How is user consent implemented? Is the whole concept, atleast in Windows, based on the assumption that all installed programs are 'trusted'?

Fad answered 7/2, 2013 at 16:44 Comment(0)
L
30

Researching this a bit, it appears that the passwords are stored within a Windows Credential Vault, which is the equivalent of the Gnome or KDE keyrings. You can actually see the ones that you have stored by opening up the Windows Credential Manager. I get there by just typing in Credential Manager on Windows 8.1 from the start screen, but I think you can get to it from the User accounts page as well.

Anyway, as you can see from the attached image, the password that I added to the keyring as a test is displayed under Windows Credentials -> Generic Credentials -> keyring_demo. Opening this window up as another user on the PC does not show this password, so it seems secured from other Users. This screen also allows you to revoke or change passwords.

Windows credential manager

As to how consent is implemented, I believe keyring will operate as long as your Windows user account is logged in, but I don't know the specifics.

Limit answered 11/6, 2015 at 14:30 Comment(0)
A
1

the cedential manager method works, but in my case add:

  • internet or network addess "myPassGroup"
  • username "pass1"
  • password "xxx"

then add another entry using the same network address

  • internet or netwokr address "myPassGroup"
  • username "pass2"
  • password "xxx"

the pass2 will OVERRIDE the frist entry pass1! this is a major drewback, as the "internet or network address" is served as a groupname in keyring, I need put mutiple password under the same name

my solution is to use the python command direct

  • open CMD in windows
  • type Python
  • then type import keyring
  • then type keyring.set_password("groupName", "passKey" ,"password")
  • then type keyring.set_password("groupName", "passKey2" ,"password2")

you can validate the result by

  • keying.get_password("groupname", "passKey")
  • keying.get_password("groupname", "passKey2")

I konw this will work, but still struggle to find where the actual data is saved

I used the following command try to find out

  • python -c "import keyring.util.platform_; print(keyring.util.platform_.config_root())"

  • python -c "import keyring.util.platform_; print(keyring.util.platform_.data_root())"

the data_root in my case is "C:\Users\JunchenLiu\AppData\Local\Python Keyring" I checked the folder, it doesn't exists... it must been saved somewhere. maybe someone can figure it out.

but my solution should work prefectly on Windows

Ancillary answered 13/4, 2018 at 21:48 Comment(1)
I believe they are stored in one of two locations: C:\Users\username\AppData\Roaming\Microsoft\Credentials C:\Users\username\AppData\Local\Microsoft\Credentials but the file is encrypted. Check out this thread: serverfault.com/questions/770996/…Bookrest
A
0

This is from the python-keyring github I imagine a similar concern exists for windows as does MacOS though the website says no analysis has been completed

Security Considerations

Each builtin backend may have security considerations to understand before using this library. Authors of tools or libraries utilizing keyring are encouraged to consider these concerns.

As with any list of known security concerns, this list is not exhaustive. Additional issues can be added as needed.

macOS Keychain
        Any Python script or application can access secrets created by keyring from that same Python executable without the operating system prompting the user for a password. To cause any specific secret to prompt for a password every time it is accessed, locate the credential using the Keychain Access application, and in the Access Control settings, remove Python from the list of allowed applications.
Assyrian answered 8/8, 2022 at 22:11 Comment(0)
T
-12
from keyring.backend import KeyringBackend

class SimpleKeyring(KeyringBackend):
    """Simple Keyring is a keyring which can store only one
    password in memory.
    """
    def __init__(self):
        self.password = ''

    def supported(self):
        return 0

    def get_password(self, service, username):
        return self.password

    def set_password(self, service, username, password):
        self.password = password
        return 0

    def delete_password(self, service, username):
        self.password = None
Trimetallic answered 24/9, 2013 at 4:14 Comment(1)
In what way does this answer the question?Vaporize

© 2022 - 2024 — McMap. All rights reserved.