Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!feeds.phibee-telecom.net!newsfeed.xs4all.nl!newsfeed2a.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <python.list@tim.thechases.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.021
X-Spam-Evidence: '*H*': 0.96; '*S*': 0.00; 'cc:addr:python-list': 0.11; '-tkc': 0.16; 'from:addr:python.list': 0.16; 'from:addr:tim.thechases.com': 0.16; 'from:name:tim chase': 0.16; 'obfuscated,': 0.16; 'subject:Password': 0.16; 'subject:issue': 0.16; 'subject:security': 0.16; 'true:': 0.16; 'wrote:': 0.18; 'bit': 0.19; 'code,': 0.22; 'cc:addr:python.org': 0.22; 'question': 0.24; 'cc:2**0': 0.24; 'source': 0.25; 'header:In- Reply-To:1': 0.27; 'chris': 0.29; 'am,': 0.29; 'said,': 0.30; 'could': 0.34; 'but': 0.35; 'there': 0.35; 'passwords': 0.36; 'charset:us-ascii': 0.36; 'changing': 0.37; 'strategy': 0.64; 'to:addr:gmail.com': 0.65; 'mar': 0.68; 'preventing': 0.84; 'received:50.22': 0.84
Date: Sat, 1 Mar 2014 12:38:25 -0600
From: Tim Chase <python.list@tim.thechases.com>
To: Chris Angelico <rosuav@gmail.com>
Subject: Re: Password validation security issue
In-Reply-To: <CAPTjJmqCTLqXgmHMm2QGYJB1MmYEnhMV3OGe0jPc_UOoUQ9gQA@mail.gmail.com>
References: <09f43567-779e-4d01-8621-c4eb36354d99@googlegroups.com> <CAPTjJmqCTLqXgmHMm2QGYJB1MmYEnhMV3OGe0jPc_UOoUQ9gQA@mail.gmail.com>
X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.10; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - boston.accountservergroup.com
X-AntiAbuse: Original Domain - python.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - tim.thechases.com
X-Get-Message-Sender-Via: boston.accountservergroup.com: authenticated_id: tim@thechases.com
Cc: "python-list@python.org" <python-list@python.org>
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.7525.1393699084.18130.python-list@python.org>
Lines: 28
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1393699085 news.xs4all.nl 2972 [2001:888:2000:d::a6]:57078
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:67335

On 2014-03-02 05:11, Chris Angelico wrote:
> On Sun, Mar 2, 2014 at 4:49 AM, Renato <rvernucio@gmail.com> wrote:
> > My question is: is there a way of preventing the user from
> > reading the script's content?

Not really.  It might be a bit obfuscated, but 

>> Is there any strategy I could use to hide the passwords from the
>> users?

use Chris's suggestion about hashing.

That said, if the user has access to the source code, there's nothing
preventing them from changing

  if hash(provided_password) == existing_hash:
    do_magic()

into just

  if True:
    do_magic()

and re-running the program.

-tkc