Encrypting a password parameter

4784
3
08-18-2011 07:07 AM
EricWolf
New Contributor
I have a Python geoprocessing script that needs to get a password as a parameter from the user. Right now, I am just using a "string" type. But ArcGIS (9.3.1) echoes all parameters when it starts to run the script.

Is there an (easy) way to have an encrypted/obfuscated password parameter type?
0 Kudos
3 Replies
TonyContreras
Occasional Contributor
You can try using the getpass module for python.

getpass
0 Kudos
ClarrieHall
New Contributor
You can try using the getpass module for python.

getpass


getpass works fine for standalone scripts but it seems it lock everything up if I use it in a script that is run from in ArcMap (10.0).
I guess that it is still waiting for input that will never arrive.
I presume that this is for a similar reason to print statements not working in this environment.

There is an parameter type for scripts (ArcGIS 10.0) called "Encrypted String" which does mask on input but I am not sure what you can do with it in the script.

I assume that the original poster wanted to then pass on the parameter to something else or compare it to known values as would I.
0 Kudos
PF1
by
Occasional Contributor II
getpass works fine for standalone scripts but it seems it lock everything up if I use it in a script that is run from in ArcMap (10.0).
I guess that it is still waiting for input that will never arrive.
I presume that this is for a similar reason to print statements not working in this environment.

There is an parameter type for scripts (ArcGIS 10.0) called "Encrypted String" which does mask on input but I am not sure what you can do with it in the script.

I assume that the original poster wanted to then pass on the parameter to something else or compare it to known values as would I.


I've had similar issues and requirements.  My basic requirement was to allow a user to change their database password.  So what I did is use getpass in a subprocess to ask the user for a new password (and to verify the new password).  I'v essentially implemented these two methods:

import subprocess
def promptForPassword():
 pwd=promptInNewProcess()
 pwd2=promptInNewProcess("Verify the new password: ")
 return pwd,pwd2
 
def promptInNewProcess(prompt="Enter a new password: "):
 cmd=r'python -c "from getpass import getpass; pwd=getpass(\"'+prompt+r'\"); print pwd"'
 p = subprocess.Popen(cmd, stdout=subprocess.PIPE)
 out, err = p.communicate()
 if (err==None):
  return out.strip()
 return ""


And then called these from my python script that is pointed to from a toolbox script:
import arcpy
from OraclePasswordFunctions import promptForPassword
if __name__ == "__main__":
 if (len(sys.argv)<>2):
  print "There is 1 required input: "
  print "  - SDE connection file to an ORACLE database (.sde).  The user in the sde connection file is will be the user who's password gets changed"
  sys.exit(0)  

 arcpy.AddMessage("\n\n\nThis utility will change the password of a SDE connection file.  A command prompt will appear and ask for a new password.  A second command prompt will then appear to validate the password (verify the inputs are the same).  This utility uses the following criteria for password strength: ")
 arcpy.AddMessage("  - 8 or more characters in length")
 arcpy.AddMessage("  - 30 or less characters in length")
 arcpy.AddMessage("  - Start with an alpha character [a..z] or [A..Z]")
 arcpy.AddMessage("  - Contain at least 1 lower case character")
 arcpy.AddMessage("  - Contain at least 1 upper case character")
 arcpy.AddMessage("  - Contain at least 1 numeric character")
 arcpy.AddMessage("  - Contain at least 1 special character.  The only special characters allowed are '_' or '#' or '$' (without quotes)")
 arcpy.AddMessage("\n\n\n")

 sde_ws = arcpy.GetParameterAsText(0)
 pwd1,pwd2=promptForPassword()


Then what I did was compare pwd1 and pwd2 (to verify they met the requirements and that it was the same password).  If all succeeded then I called the arcpy.ArcSDESQLExecute methods to run an 'ALTER USER' statement

This makes it interactive so that its not really scriptable.  A user runs the tool and it opens a command prompt (black box) that asks for their password.  When they hit enter it closes that one and opens a new command prompt asking for the user to verify the password.
0 Kudos