You are correct that storing passwords in plaintext and in a settings.py file is not good security. You could increase security by:
-
Setting the permissions correctly (this will depend on your set up). Ideally only python should be able to read the file.
-
Storing the file out of the
wwworhtdocsroot. If at this point an attacker still has access to them, you are screwed anyways. -
For added security, you can encrypt the connection settings using symmetric encryption (eg: AES). Store the key somewhere else. So even if someone managed to access the connection settings, they’d still need to find the key. The main drawback is that now you have to rewrite the connection method.