Menu
Storing a password in the registry does not secure it. Anyone with access to the server can read it there.
Why Passwords Shouldn't Be Stored in Plain Text. When a company stores passwords in plain text, anyone with the password database—or whatever other file the passwords are stored in—can read them. If a hacker gains access to the file, they can see all the passwords. Storing passwords in plain text is a terrible practice ...
Password manager applications Pros of using a password manager application: Best place to store passwords — A reputable password manager app is the best way to store passwords securely. A password manager allows you to easily create, manage, and access your secure passwords.
Secrets are environment variables with extra security measures to protect their values. Any environment variables that define sensitive or private information (such as credentials) should be stored as secrets. A secret may be defined as a secure variable for any number of services in the environment.
As mentioned before, both methods do not provide any layer of additional "security" once your system is compromised. I believe that one of the strongest reasons to favor environment variables is version control: I've seen way too many database configurations etc. being accidentially stored in the version control system like GIT for every other developer to see (and whoops! it happened to me as well ...).
Not storing your passwords in files makes it impossible for them to be stored in the version control system.
On a more theoretical level, I tend to think about levels for security in the following ways (in order of increasing strength) :
Environment variables are more secure than plaintext files, because they are volatile/disposable, not saved; i.e. if you set only a local environment variable, like "set pwd=whatever," and then run the script, with something that exits your command shell at the end of the script, then the variable no longer exists. Your case falls into the first two, which I'd say is fairly insecure. If you were going to do this, I wouldn't recommend deploying outside your immediate intranet/home network, and then only for testing purposes.
Anytime you have to store a password, it is insecure. Period. There's no way to store an un-encrypted password securely. Now which of environment variables vs. config files is more "secure" is perhaps debatable. IMHO, if your system is compromised, it doesn't really matter where it's stored, a diligent hacker can track it down.
Sorry I didn't have enough rep to comment, but I also wanted to add that if you're not careful, your shell might capture that password in it's command history as well. So running something like $ pwd=mypassword my_prog manually isn't as ephemeral as you might have hoped.
I think when possible you should store your credentials in a gitignored file and not as environment variables.
One of the things to consider when storing credentials in ENV (environment) variables vs a file is that ENV variables can very easily be inspected by any library or dependency you use.
This can be done maliciously or not. For example a library author could email stack traces plus the ENV variables to themselves for debugging (not best practice, but it's possible to do).
If your credentials are in a file, then peaking into them is much harder.
Specifically, think about an npm in node. For an npm to look at your credentials if they are in the ENV is a simple matter of process.ENV. If on the other hand they are in a file, it's a lot more work.
Whether your credentials file is version controlled or not is a separate question. Not version controlling your credentials file exposes it to fewer people. There's no need for all devs to know the production credentials. Since this lives up to the principle of least privilege, I would suggest git ignoring your credentials file.
It depends on your threat model.
Are you trying to prevent your users from sprinkling passwords all over their file systems where they are likely to be forgotten and mishandled? If so, then yes, because environmental variables are less persistent than files.
Are you trying to secure against something malicious that is directly targeting your program? If so, then no, because environment variables do not have the same level of access control that files do.
Personally, I think that negligent users are more common than motivated adversaries, so I'd go with the environment variable approach.
Among others, an issue with using environment variables to store secrets is that they can be leaked unintentionally:
Logstash)Potential issues with secrets stored in config files:
Irrelevant to the way you store secrets, if your system is compromised you're screwed. Extracting those is just a matter of time and effort.
So what can we do to minimize the risks?
Don't store/pass around secrets in plain text. One way to approach the problem is to use an external (managed or self-hosted) secrets storage solution (e.g. AWS Parameter Store, Azure Vault, Hashicorp Vault) and fetch sensitive data at runtime (possibly caching in memory). This way your secrets are encrypted in transit and at rest.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With