Know the master key yourself. Don&#39;t hard code it. 

Use `py-bcrypt` (bcrypt), powerful hashing technique to generate a password yourself.

Basically you can do this (an idea...)

    import bcrypt
    from getpass import getpass
    master_secret_key = getpass(&#39;tell me the master secret key you are going to use&#39;)
    salt = bcrypt.gensalt()
    combo_password = raw_password + salt + master_secret_key
    hashed_password = bcrypt.hashpw(combo_password, salt)

save salt and hashed password somewhere so whenever you need to use the password, you are reading the encrypted password, and test against the raw password you are entering again.

This is basically how login should work these days.


I typically have a `secrets.py` that is stored separately from my other python scripts and is not under version control. Then whenever required, you can do `from secrets import &lt;required_pwd_var&gt;`. This way you can rely on the operating systems in-built file security system without re-inventing your own.

Using `Base64` encoding/decoding is also another way to obfuscate the password though not completely secure

More here - https://stackoverflow.com/questions/157938/hiding-a-password-in-a-python-script?rq=1

the secure way is encrypt your sensitive data by AES and the encryption key is derivation by password-based key derivation function (PBE), the master password used to encrypt/decrypt the encrypt key for AES.

&gt; master password -&gt; secure key-&gt; encrypt data by the key

You can use [pbkdf2][1]

    from PBKDF2 import PBKDF2
    from Crypto.Cipher import AES
    import os
    salt = os.urandom(8)    # 64-bit salt
    key = PBKDF2(&quot;This passphrase is a secret.&quot;, salt).read(32) # 256-bit key
    iv = os.urandom(16)     # 128-bit IV
    cipher = AES.new(key, AES.MODE_CBC, iv)

make sure to store the salt/iv/passphrase , and decrypt using same salt/iv/passphase

Weblogic used similar approach to protect passwords in config files


  [1]: https://www.dlitz.net/software/python-pbkdf2/

For some reason my code is having trouble opening a simple file:

This is the code:

    file1 = open(&#39;recentlyUpdated.yaml&#39;)

And the error is: 

```none
IOError: [Errno 2] No such file or directory: &#39;recentlyUpdated.yaml&#39;
```

-  Naturally I checked that this is the correct name of the file.
-  I have tried moving around the file, giving `open()` the full path to the file and none of it seems to work.


open() gives FileNotFoundError/IOError: Errno 2 No such file or directory

I am struggling with this error:

&gt; 08-08 11:42:53.179: E/AndroidRuntime(20288): Caused by: java.lang.InstantiationException: can&#39;t instantiate class com.example.localnotificationtest.ReminderService; no empty constructor

I don&#39;t understand why this error occurs.

I am trying to appear notification at specific time and after searching for a time i found this [old stackoverflow question][1]. I tried everything but my code gives error.

Please help me to solve this problem.

Here is my MainActivity code:

    public class MainActivity extends Activity {
    	int mHour, mMinute;
    	ReminderService reminderService;
    	
    	@Override
        public void onCreate(Bundle savedInstanceState) {
            super.onCreate(savedInstanceState);
            setContentView(R.layout.activity_main);
            reminderService = new ReminderService(&quot;ReminderService&quot;);
            
            TimePickerDialog dialog = new TimePickerDialog(this, mTimeSetListener, mHour, mMinute, false);
            dialog.show();
        }
    	
    	TimePickerDialog.OnTimeSetListener mTimeSetListener =  new OnTimeSetListener() {
    		
    		@Override
    		public void onTimeSet(TimePicker v, int hourOfDay, int minute) {
    			mHour = hourOfDay;
    			mMinute = minute;
    
    			AlarmManager alarmManager = (AlarmManager)getSystemService(ALARM_SERVICE);
    			Calendar c = Calendar.getInstance();
    			c.set(Calendar.YEAR, Calendar.YEAR);
    			c.set(Calendar.MONTH, Calendar.MONTH);
    			c.set(Calendar.DAY_OF_MONTH, Calendar.DAY_OF_MONTH);
    			c.set(Calendar.HOUR_OF_DAY, mHour);
    			c.set(Calendar.MINUTE, mMinute);
    			c.set(Calendar.SECOND, 0);
    			
    			long timeInMills = c.getTimeInMillis();
    			
    			Intent intent = new Intent(MainActivity.this, ReminderService.class);
    			PendingIntent pendingIntent = PendingIntent.getService(MainActivity.this, 0, intent, 0);
    			alarmManager.set(AlarmManager.RTC, timeInMills, pendingIntent);
    		}
    	};
        
    }


and here is my ReminderService code:

    public class ReminderService extends IntentService {
    
    	public ReminderService(String name) {
    		super(name);
    		// TODO Auto-generated constructor stub
    	}
    
    	@Override
    	protected void onHandleIntent(Intent intent) {
    		
    		Intent notificationIntent = new Intent(this, MainActivity.class);
    		PendingIntent contentIntent = PendingIntent.getActivity(this, 1, notificationIntent, PendingIntent.FLAG_CANCEL_CURRENT);
    
    		NotificationManager nm = (NotificationManager) this.getSystemService(Context.NOTIFICATION_SERVICE);
    
    		Notification.Builder builder = new Notification.Builder(this);
    
    		builder.setContentIntent(contentIntent)
    			.setSmallIcon(R.drawable.ic_launcher)
    			.setTicker(&quot;Local Notification Ticker&quot;)
    		 	.setWhen(System.currentTimeMillis())
    		 	.setAutoCancel(true)
    		 	.setContentTitle(&quot;Local Notification&quot;)
    		 	.setContentText(&quot;This is content text.&quot;);
    		 Notification n = builder.getNotification();
    
    		 nm.notify(1, n);
    	}
    
    }

and here is my manifest.xml:

    &lt;manifest xmlns:android=&quot;http://schemas.android.com/apk/res/android&quot;
        package=&quot;com.example.localnotificationtest&quot;
        android:versionCode=&quot;1&quot;
        android:versionName=&quot;1.0&quot; &gt;
    
        &lt;uses-sdk
            android:minSdkVersion=&quot;11&quot;
            android:targetSdkVersion=&quot;15&quot; /&gt;
    
        &lt;application
            android:icon=&quot;@drawable/ic_launcher&quot;  android:label=&quot;@string/app_name&quot;  android:theme=&quot;@style/AppTheme&quot; &gt;
            &lt;activity android:name=&quot;.MainActivity&quot;  android:label=&quot;@string/title_activity_main&quot; &gt;
                &lt;intent-filter&gt;
                    &lt;action android:name=&quot;android.intent.action.MAIN&quot; /&gt;
                    &lt;category android:name=&quot;android.intent.category.LAUNCHER&quot; /&gt;
                &lt;/intent-filter&gt;
            &lt;/activity&gt;
            &lt;service android:name=&quot;ReminderService&quot;&gt;&lt;/service&gt;
        &lt;/application&gt;
    
    &lt;/manifest&gt;

I don&#39;t know where I am going wrong. Am I missing some code?


  [1]: https://stackoverflow.com/q/7540724/1250370

No empty constructor when create a service

&gt; **Possible Duplicate:**  
&gt; [I need to securely store a username and password in Python, what are my options?](https://stackoverflow.com/questions/7014953/i-need-to-securely-store-a-username-and-password-in-python-what-are-my-options)  

&lt;!-- End of automatically inserted text --&gt;

I am looking for a way to securely store passwords which I intend to use in some Python scripting. I will be logging into different things and I don&#39;t want to store the passwords as plaintext in the script itself.

Instead I was wondering if there is anything which is able to securely store those passwords and then retrieve them using something like a master password which I could enter to the script at the beginning.

Securely storing passwords for use in python script

> Possible Duplicate: 
> <a href="https://stackoverflow.com/questions/7014953/i-need-to-securely-store-a-username-and-password-in-python-what-are-my-options" target="_blank" rel="noopener noreferrer">I need to securely store a username and password in Python, what are my options?</a>

I am looking for a way to securely store passwords which I intend to use in some Python scripting. I will be logging into different things and I don't want to store the passwords as plaintext in the script itself.
Instead I was wondering if there is anything which is able to securely store those passwords and then retrieve them using something like a master password which I could enter to the script at the beginning.

I recently switch to Celery 3.0. Before that I was using [Flask-Celery][1] in order to integrate Celery with Flask. Although it had many issues like hiding some powerful Celery functionalities but it allowed me to use the full context of Flask app and especially Flask-SQLAlchemy.

In my background tasks I am processing data and the SQLAlchemy ORM to store the data. The maintainer of Flask-Celery has dropped support of the plugin. The plugin was pickling the Flask instance in the task so I could have full access to SQLAlchemy.

I am trying to replicate this behavior in my tasks.py file but with no success. Do you have any hints on how to achieve this?


  [1]: https://github.com/ask/flask-celery/

How to use Flask-SQLAlchemy in a Celery task

Any help on this problem will be greatly appreciated.

So basically I want to run a query to my SQL database and store the returned data as Pandas data structure.

I have attached code for query.

I am reading the documentation on Pandas, but I have problem to identify the return type of my query.

I tried to print the query result, but it doesn&#39;t give any useful information.

Thanks!!!! 

```python
from sqlalchemy import create_engine

engine2 = create_engine(&#39;mysql://THE DATABASE I AM ACCESSING&#39;)
connection2 = engine2.connect()
dataid = 1022
resoverall = connection2.execute(&quot;
    SELECT 
       sum(BLABLA) AS BLA,
       sum(BLABLABLA2) AS BLABLABLA2,
       sum(SOME_INT) AS SOME_INT,
       sum(SOME_INT2) AS SOME_INT2,
       100*sum(SOME_INT2)/sum(SOME_INT) AS ctr,
       sum(SOME_INT2)/sum(SOME_INT) AS cpc
    FROM daily_report_cooked
    WHERE campaign_id = &#39;%s&#39;&quot;,
    %dataid
)
```

So I sort of want to understand what&#39;s the format/datatype of my variable &quot;resoverall&quot; and how to put it with PANDAS data structure.

How to convert SQL Query result to PANDAS Data Structure?

I&#39;m plotting a histogram using the matplotlib.pyplot module and I am wondering how I can force the y-axis labels to only show integers (e.g. 0, 1, 2, 3 etc.) and not decimals (e.g. 0., 0.5, 1., 1.5, 2. etc.). 

I&#39;m looking at the guidance notes and suspect the answer lies somewhere around [matplotlib.pyplot.ylim](http://matplotlib.sourceforge.net/api/pyplot_api.html#matplotlib.pyplot.ylim) but so far I can only find stuff that sets the minimum and maximum y-axis values. 

    def doMakeChart(item, x):
        if len(x)==1:
            return
        filename = &quot;C:\Users\me\maxbyte3\charts\\&quot;
        bins=logspace(0.1, 10, 100)
        plt.hist(x, bins=bins, facecolor=&#39;green&#39;, alpha=0.75)
        plt.gca().set_xscale(&quot;log&quot;)
        plt.xlabel(&#39;Size (Bytes)&#39;)
        plt.ylabel(&#39;Count&#39;)
        plt.suptitle(r&#39;Normal Distribution for Set of Files&#39;)
        plt.title(&#39;Reference PUID: %s&#39; % item)
        plt.grid(True)
        plt.savefig(filename + item + &#39;.png&#39;)
        plt.clf()

How to force the Y axis to only use integers in Matplotlib?

Is there an equivalent for PHP&#39;s implode in Python? I&#39;ve read in and split up a set of delimited words, and now I want to sort them out in random orders and print the words out with spaces in between.

&gt; implode — Join array elements with a string

http://php.net/manual/en/function.implode.php

Python equivalent for PHP&#39;s implode?

I have an array `A` of shape (1000, 2000). I use matplotlib.pyplot to plot the array, which means 1000 curves, using 

    import matplotlib.pyplot as plt
    plt(A)

The figure is fine but there are a thousand lines of:

    &lt;matplotlib.lines.Line2D at 0xXXXXXXXX&gt;

Can I disable this output?

Disable the output of matplotlib pyplot

For a payment provider, I need to calculate a hash-based message authentication code, using HMAC-SHA256. That is causing me quite a bit of trouble.

The payment provider gives two examples of orrectly calculated authentication code in pseudo-code. All keys are in hex.

###Method 1 

    key = 57617b5d2349434b34734345635073433835777e2d244c31715535255a366773755a4d70532a5879793238235f707c4f7865753f3f446e633a21575643303f66
    message = &quot;amount=100&amp;currency=EUR&quot;
    MAC = HMAC-SHA256( hexDecode(key), message )
    result = b436e3e86cb3800b3864aeecc8d06c126f005e7645803461717a8e4b2de3a905

###Method 2

    message = &quot;amount=100&amp;currency=EUR&quot;
    Ki = 61574d6b157f757d02457573556645750e0341481b127a07476303136c005145436c7b46651c6e4f4f040e1569464a794e534309097258550c17616075060950
    Ko = 0b3d27017f151f17682f1f193f0c2f1f64692b227178106d2d096979066a3b2f2906112c0f760425256e647f032c2013243929636318323f667d0b0a1f6c633a
    MAC = SHA256( hexDecode(Ko) + SHA256( hexDecode(Ki) + message ) )
    result = b436e3e86cb3800b3864aeecc8d06c126f005e7645803461717a8e4b2de3a905

I tried to write the code to do this, after doing some research, but I keep coming up with different results.





    private static void Main(string[] args)
        {
            var key = &quot;57617b5d2349434b34734345635073433835777e2d244c31715535255a366773755a4d70532a5879793238235f707c4f7865753f3f446e633a21575643303f66&quot;;
            var ki = &quot;61574d6b157f757d02457573556645750e0341481b127a07476303136c005145436c7b46651c6e4f4f040e1569464a794e534309097258550c17616075060950&quot;;
            var ko = &quot;0b3d27017f151f17682f1f193f0c2f1f64692b227178106d2d096979066a3b2f2906112c0f760425256e647f032c2013243929636318323f667d0b0a1f6c633a&quot;;
            var mm = &quot;amount=100&amp;currency=EUR&quot;;

            var result1 = CalcHMACSHA256Hash(HexDecode(key), mm);

            var result2 = CalcSha256Hash(string.Format(&quot;{0}{1}&quot;, HexDecode(ko), CalcSha256Hash(HexDecode(ki) + mm)));

            Console.WriteLine(&quot;Expected: b436e3e86cb3800b3864aeecc8d06c126f005e7645803461717a8e4b2de3a905&quot;);
            Console.WriteLine(&quot;Actual 1: &quot; + result1);
            Console.WriteLine(&quot;Actual 2: &quot; + result2);

            Console.WriteLine(&quot;------------------------------&quot;);
            Console.ReadKey();

        }

        private static string HexDecode(string hex)
        {
            var sb = new StringBuilder();
            for (int i = 0; i &lt;= hex.Length - 2; i += 2)
            {
                sb.Append(Convert.ToString(Convert.ToChar(Int32.Parse(hex.Substring(i, 2), System.Globalization.NumberStyles.HexNumber))));
            }
            return sb.ToString();
        }

        private static string CalcHMACSHA256Hash(string plaintext, string salt)
        {
            string result = &quot;&quot;;
            var enc = Encoding.Default;
            byte[]
            baText2BeHashed = enc.GetBytes(plaintext),
            baSalt = enc.GetBytes(salt);
            System.Security.Cryptography.HMACSHA256 hasher = new HMACSHA256(baSalt);
            byte[] baHashedText = hasher.ComputeHash(baText2BeHashed);
            result = string.Join(&quot;&quot;, baHashedText.ToList().Select(b =&gt; b.ToString(&quot;x2&quot;)).ToArray());
            return result;
        }


        public static string CalcSha256Hash(string input)
        {
            SHA256 sha256 = new SHA256Managed();
            byte[] sha256Bytes = Encoding.Default.GetBytes(input);
            byte[] cryString = sha256.ComputeHash(sha256Bytes);
            string sha256Str = string.Empty;
            for (int i = 0; i &lt; cryString.Length; i++)
            {
                sha256Str += cryString[i].ToString(&quot;x2&quot;);
            }
            return sha256Str;
        }


And this is the result I get:

    Expected: b436e3e86cb3800b3864aeecc8d06c126f005e7645803461717a8e4b2de3a905
    Actual 1: 421ce16f2036bb9f2a3770c16f01e9220f0232d45580584ca41768fd16c15fe6
    Actual 2: 290f14398bf8c0959dfc963e2fd9c377534c6fec1983025d2ab192382f132b92

So with none of the two methods, I can get the result the provider example wants.

**What am I missing here? Is it encoding? Is my hexDecode screwed up?**

Test tool from payment provider: http://tech.dibs.dk/dibs_api/other_features/hmac_tool/

PHP sample code: http://tech.dibspayment.com/dibs_api/other_features/mac_calculation/

Calculating HMACSHA256 using c# to match payment provider example

How do you prevent multiple clients from using the same session ID? I&#39;m asking this because I want to add an extra layer of security to prevent session hijacking on my website. If a hacker somehow figures out another user&#39;s session ID and makes requests with that SID, how can I detect that there are different clients sharing a single SID on the server and then reject the hijack attempt?

**EDIT**

I have accepted Gumbo&#39;s answer after careful consideration because I&#39;ve come to the realization that what I&#39;m asking for is impossible due to the restrictions of a *stateless HTTP protocol*. I forgot about what is perhaps the most fundamental principle of HTTP, and now that I think about this question seems a bit trivial.

Let me elaborate what I mean:

After User A logs in on example.com, he is given some random session ID, for simplicity&#39;s sake, let it be &#39;abc123&#39;. This session ID is stored as a cookie on the client side and is validated with a server-side session to ensure the user who logged in remains logged in as he moves from one webpage to another. This cookie of course would not need to exist if HTTP were not stateless. For that reason, if User B steals User A&#39;s SID, and creates a cookie on his computer with the value &#39;abc123&#39;, he would have successfully hijacked User A&#39;s session, but there is simply no way for the server to legitimately recognize that User B&#39;s request is any different from User A&#39;s requests, and therefore the server has no reason to reject any request. Even if we were to list the sessions that were already active on the server and try to see if someone is accessing a session that is already active, how can we determine that it is another user who is accessing the session illegitimately and not the same user who is already logged in with a session ID, but simply trying to make another request with it (ie navigate to a different webpage). We can&#39;t. Checking the user agent? Can be spoofed - but good as a Defense in Depth measure nevertheless. IP Address? Can change for legitimate reasons - but instead of not checking for the IP address at all, I suggest checking something like the first two octets of the IP, as even a user on a data plan network who constantly has a changing IP for perfectly legitimate reasons would only usually have the last two octets of their IP change.

In consclusion, it is the stateless HTTP that condemns us to never being able to fully protect our websites from session hijacking, but good practices (like the ones Gumbo has provided) will be good enough to prevent a good majority of session attacks. Trying to protect sessions from hijacking by denying multiple requests of the same SID is therefore simply ludicrous, and would defeat the whole purpose of sessions.

Preventing session hijacking

I work on a few apps in rails, django (and a little bit of php), and one of the things that I started doing in some of them is storing database and other passwords as environment variables  rather than plain text in certain config files (or in settings.py, for django apps).

In discussing this with one of my collaborators, he suggested this is a poor practice - that perhaps this isn&#39;t as perfectly secure as it might at first seem.

So, I would like to know - is this a secure practice? Is it more secure to store passwords as plain text in these files (making sure, of course, not to leave these files in public repos or anything)?

Is it secure to store passwords as environment variables (rather than as plain text) in config files?

An application that has been working without problem (and has not had any active development done on it in about 6 months or so) recently began failing to connect to database.  Operations admins cant say what might have changed that would cause the problem.

The client application uses a hardcoded connection string with Integrated Security=True, but when the applications attempts to create a connection to the database, it throws an SQLException saying &quot;Login failed for user &#39;NT AUTHORITY\ANONYMOUS LOGON&quot;.

I can log on to the database through Management Studio on this account without problem.  All of the things that I have seen for this issue are for ASP.NET projects and it is apparently the &quot;Double Hop Problem&quot; which being a client application darned well better not be a problem.  Any help would be greatly appreciated.

Edit
-
The client machine and server machine as well as user accounts are on the same domain.
This occurs when Windows Firewall is off.

Leading theory is:
Server was restarted about a week or so ago, and failed to register Service Principal Name (SPN).  Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos.

SQL Server returns error &quot;Login failed for user &#39;NT AUTHORITY\ANONYMOUS LOGON&#39;.&quot; in Windows application

&lt;p&gt;
I&#39;m making a Windows application, which you need to log into first.&lt;br/&gt;
The account details consist of username and password, and they need to be saved locally.&lt;br/&gt;
It&#39;s just a matter of security, so other people using the same computer can&#39;t see everyone&#39;s personal data.&lt;br/&gt;
&lt;strong&gt;What is the best/most secure way to save this data?&lt;/strong&gt;
&lt;/p&gt;

&lt;p&gt;
&lt;em&gt;I don&#39;t want to use a database, so I tried some things with Resource files.&lt;br/&gt;
But since I&#39;m kind of new with this, I&#39;m not entirely sure of what I&#39;m doing and where I should be looking for a solution.&lt;/em&gt;
&lt;/p&gt;

Content Type	Original Author	Original Content on Stackoverflow
Question	user1598386	View Question on Stackoverflow
Solution 1 - Python	CppLearner	View Answer on Stackoverflow
Solution 2 - Python	Pratik Mandrekar	View Answer on Stackoverflow
Solution 3 - Python	Ted Shaw	View Answer on Stackoverflow

Securely storing passwords for use in python script

Python Problem Overview

Python Solutions

Solution 1 - Python

Solution 2 - Python

Solution 3 - Python

No empty constructor when create a service

open() gives FileNotFoundError/IOError: Errno 2 No such file or directory

Attributions