Closed ivanychev closed 7 years ago
I'll delete secret.txt file after logout.
If the secret.txt is necessary, can we hash it so it's more harmless?
we need a raw username and password to login the app. But i think there is a way to save the session and use it instead of relogin every time we restart the script.
by the way, for multiple account, secret.txt like now more convenience. so, if we want to use multiple account, just make another folder with remaining script. but yes, it feel insecure.
Saving session is not safer because it can be stolen. In the end we need either to ask user for password (instagram password, or the one to decrypt encrypted session
in some way) or just save it in secret.txt
.
I suppose that we need to add some kind of key argument, for example
python instabot script.py
will ask for credentials and won't store them, and
python instabot -s script.py
will save session in some way.
That makes the module safer by default.
Another thought is to use some unique static identifier (CPU model, MAC address or stuff like that) of a machine that runs the module as a encryption/decryption key. It's not the best but clearly better than plaintext.
already fixed
Frankly speaking, it's too insecure not to delete file with login/password after finishing a session.