Storing passwords with python keyring

python security password encryption keyrings

I'm using keyring library to store passwords in my python app.

import keyring
keyring.set_password('My namespace', username, password)
keyring.get_password('My namespace', username)

And this works very well.

I assume that passwords are safe in keyring, they are encrypted. But, since I can get them by username, what prevents other apps to do the same?

Isn't that a security risk, or am I missing something?


Solution 1:

The keyring library uses the standard keyring of your desktop environment, e.g. the GNOME keyring. This keyring is unlocked as soon as you log in, meaning: yes, any other application run by you has access to the password you store with your application, but -- and this is the idea of a keyring -- other users and their applications have not.

Quoting “gnome-keyring Security Philosophy”:

An example of security theater is giving the illusion that somehow one application running in a security context (such as your user session) can keep information from another application running in the same security context.

Note that the username in the set_password/get_password functions is not related to the name of the user running the application (i.e. the user whose keyring is used) but may be for example an email address, a database username, etc.

Related

How set CLASSPATH variable for a folder in Ubuntu
Mount error, special device does not exist
How to set per-monitor scaling on Wayland?
lm_sensors and AMD Ryzen, X570 chipset
Is there a way to add Google Calendar notifications to the indicator message applet?
Script using sed adds an "e" to the output files
Where does deja-dup log its errors?
Why doesn't gnome-online-accounts accept a Google "application specific password"?
Is it "OK" to install Ubuntu on one laptop and put the SSD into another?
How does one install pygobject from the official repository?
Google Books downloader for Ubuntu
How do I enable the "extras" repository?