I'm using keyring library to store passwords in my python app.
import keyring
keyring.set_password('My namespace', username, password)
keyring.get_password('My namespace', username)
And this works very well.
I assume that passwords are safe in keyring, they are encrypted. But, since I can get them by username, what prevents other apps to do the same?
Isn't that a security risk, or am I missing something?
The keyring library uses the standard keyring of your desktop environment, e.g. the GNOME keyring. This keyring is unlocked as soon as you log in, meaning: yes, any other application run by you has access to the password you store with your application, but -- and this is the idea of a keyring -- other users and their applications have not.
Quoting “gnome-keyring Security Philosophy”:
Note that the
username
in theset_password
/get_password
functions is not related to the name of the user running the application (i.e. the user whose keyring is used) but may be for example an email address, a database username, etc.