Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it okay that database credentials are stored in plain text?

Tags:

security

database

passwords

django

By default, the Django database host/user/password are stored in the project settings.py file in plain text.

I can't seem to think of a better way at the moment, but this seems to be against best practices for password storage. Granted, if an attacker has access to the settings file, then all is probably already lost. Even if the the file were encrypted, the attacker would probably have the means to decrypt it by then.

Is this okay?

like image 398
pancakes Avatar asked Aug 22 '10 05:08

pancakes

People also ask

Should I store passwords in plain text?

Solutions for secure storing and sharing passwords First and foremost, make sure that storing and sharing passwords in plain text is no longer your (and your colleagues') habit. Instead, build some new ones! For storing passwords, forget all those sheets, notepads and Sticky notes – use encrypted password storage.

Can you read the credentials in plaintext Please state why it is the case?

Plaintext Passwords Are Not Secure! Plaintext just means your password is stored exactly as you write it. And that's a problem because hackers can easily read it. Be sure to read up on credential dumping and how to protect yourself.

Is plain text secure?

Plaintext just means normal, everyday language. If your password is stored in plaintext, it is left visible in databases which may not be secure. In cryptography, it refers to a message before encryption. When a plaintext message gets encrypted, the characters become scrambled and unintelligible.

1 Answers

You are correct that storing passwords in plaintext and in a settings.py file is not good security. You could increase security by:

  • Setting the permissions correctly (this will depend on your set up). Ideally only python should be able to read the file.

  • Storing the file out of the www or htdocs root. If at this point an attacker still has access to them, you are screwed anyways.

  • For added security, you can encrypt the connection settings using symmetric encryption (eg: AES). Store the key somewhere else. So even if someone managed to access the connection settings, they'd still need to find the key. The main drawback is that now you have to rewrite the connection method.

like image 172
NullUserException Avatar answered Nov 11 '22 00:11

NullUserException
Sign in to Comment

Related questions

MySQL 8 create new user with password not working
SQL recursive query on self referencing table (Oracle)
MySQL Database backup automatically on a windows server
Lightweight SQL database which doesn't require installation [closed]
How to work with liquibase, a concrete example
How to universally skip database touches when precompiling assets on Heroku
How do I turn MongoDB query into a JSON?
How can I transfer a mongodb database to another machine that cannot see the first one
MySQL query, MAX() + GROUP BY
Unable to connect to SQL Server instance remotely
Grant privileges for a particular database in PostgreSQL
How can I create database tables from XSD files?
SQL: How to to SUM two values from different tables [closed]
How to give a user only select permission on a database
Trying to install Perl-Mysql DBD, mysql_config can't be found
Laravel relationships in migrations?
How do I show unique constraints of a table in MySQL?
Is multi-AZ RDS really worth it? [closed]
Represent Ordering in a Relational Database
How to set a MySQL row to READ-ONLY?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!