Get AI summaries of any video or article — Sign up free
Python Quick Tip: Hiding Passwords and Secret Keys in Environment Variables (Windows) thumbnail

Python Quick Tip: Hiding Passwords and Secret Keys in Environment Variables (Windows)

Corey Schafer·
4 min read

Based on Corey Schafer's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

Hardcoding database passwords or API keys in Python source code increases the risk of credential leaks when code is shared or committed to repositories.

Briefing

Hardcoding passwords and secret API keys directly in Python code is a common beginner mistake—and it becomes dangerous fast when code is shared with a team or pushed to a repository. A safer pattern is to store secrets in environment variables on the machine running the code, so the source code can be shared without exposing credentials.

On Windows, environment variables are set through the Control Panel. The process starts by opening the Windows search, launching Control Panel, then going to System and Security → System. From there, Advanced system settings leads to the Environment Variables button. In that dialog, secrets can be added as either user variables or system variables; the walkthrough uses user variables. New variables are created with names like DB_USER and DB_PASS (the tutorial prefers all-caps for clarity), and their values are copied from the placeholders that previously lived inside the Python script.

After saving the variables, the change may not apply immediately to an already-open development environment. The tutorial specifically notes that restarting the IDE or editor (it uses Sublime Text) ensures the updated environment is visible to the running Python process.

In Python, the secrets are retrieved at runtime using the standard library’s OS module. Importing OS enables access to environment variables via os.environ, which behaves like a dictionary. Each secret is fetched by key—e.g., os.environ['DB_USER'] for the database username and os.environ['DB_PASS'] for the database password. When the script runs, it prints or uses the retrieved values without those credentials being embedded in the code itself.

The practical payoff is straightforward: sharing the script no longer shares the secrets. Anyone who receives the code sees only the environment-variable lookups, while the actual credentials remain stored locally on the machine where the variables were defined. The tutorial also points out that setting environment variables differs across operating systems, and it references a separate walkthrough for Mac and Linux.

Overall, the method is a quick, low-friction way to reduce accidental credential leaks during collaboration and version control—especially for developers who are still learning good security hygiene. It doesn’t replace more advanced secret-management systems, but it addresses the immediate risk of committing or distributing secrets alongside application code.

Cornell Notes

Storing credentials inside Python source code makes secrets easy to leak when code is shared or pushed to a repository. On Windows, environment variables provide a simple alternative: define variables like DB_USER and DB_PASS in the system’s Environment Variables settings, then restart the IDE so the running process can see them. In Python, import the OS module and read values from os.environ like os.environ['DB_USER'] and os.environ['DB_PASS']. This keeps the code shareable while the actual secrets remain on the local machine. The approach is presented as a beginner-friendly security improvement for database logins, API keys, and other sensitive values.

Why is hardcoding secrets in a Python script risky when working with teams or repositories?

If a database password or API key sits directly in the source file, anyone who can view the code—such as teammates or anyone with access to a Git repository—can also access those credentials. Moving secrets into environment variables keeps the code itself free of sensitive values, so sharing the script doesn’t automatically share the secrets.

How do you set environment variables on Windows for use by a Python script?

Open Control Panel, go to System and Security → System, then select Advanced system settings. In that window, click Environment Variables. Add new user variables (the walkthrough uses user variables) using the New button, set names such as DB_USER and DB_PASS, and paste the corresponding secret values into the variable values. Save the changes.

What change might be required after setting environment variables, and why?

The tutorial notes that you may need to restart your IDE/editor. Environment variables are read by processes at startup, so an already-running editor or Python environment might not pick up newly created variables until it restarts.

How does Python retrieve environment-variable secrets at runtime?

Import the OS module (import os), then access os.environ, which acts like a dictionary. Retrieve values by key, such as os.environ['DB_USER'] for the database username and os.environ['DB_PASS'] for the password. The script can then use these values without embedding them in the code.

What’s the main security benefit of this approach compared with storing secrets in code?

The script becomes safe to share because it contains only lookups for environment variables, not the actual credentials. The secrets remain stored locally on the machine where the environment variables were defined, reducing the chance of accidental exposure through code sharing.

Review Questions

  1. What are two concrete reasons secrets become exposed when they are hardcoded in source code?
  2. Walk through the Windows steps to create environment variables and name the variables used in the example.
  3. In Python, what does os.environ represent, and how do you access a specific secret from it?

Key Points

  1. 1

    Hardcoding database passwords or API keys in Python source code increases the risk of credential leaks when code is shared or committed to repositories.

  2. 2

    On Windows, environment variables are configured via Control Panel → System and Security → System → Advanced system settings → Environment Variables.

  3. 3

    Create user variables for secrets (e.g., DB_USER and DB_PASS) and store the real credential values as the variable values.

  4. 4

    Restart the IDE/editor after adding environment variables so the running Python process can read the updated environment.

  5. 5

    In Python, import os and read secrets from os.environ using dictionary-style key access like os.environ['DB_USER'].

  6. 6

    Sharing the script becomes safer because the code contains only environment-variable lookups, not the actual secrets.

Highlights

Environment variables let developers share Python code without distributing the underlying credentials stored on each machine.
Windows secrets are added through Environment Variables in Advanced system settings, using user variables for local-only access.
Python retrieves secrets at runtime via os.environ, treating it like a dictionary of key/value pairs.
Restarting the IDE/editor may be necessary so newly created environment variables are visible to Python.

Topics

Mentioned

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library