Menu
I just started on a Django project and in the settings.py file of the project, the database section looks like this:
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.mysql', # Add 'postgresql_psycopg2', 'mysql', 'sqlite3' or 'oracle'.
'NAME': 'blogengine', # Or path to database file if using sqlite3.
# The following settings are not used with sqlite3:
'USER': 'blogadmin',
'PASSWORD': 'blog@123',
'HOST': 'localhost', # Empty for localhost through domain sockets or '127.0.0.1' for localhost through TCP.
'PORT': '3306', # Set to empty string for default.
}
}
Is there any way in which I don't have to enter the password as plaintext but maybe enter it in some encrypted form?
561
By default, Django uses the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST. This should be sufficient for most users: it's quite secure, requiring massive amounts of computing time to break.
MySQL server uses the PASSWORD function to encrypt MySQL passwords for storage in the Password column of the user grant table. The value returned by the PASSWORD function is a hashed string, or NULL if the argument was NULL. The PASSWORD function accepts one parameter which is the string to be encrypted.
@anotheruser Yes, you can't 'decrypt' a hashed password through django. (A hash is a one-way function not really encryption). You could possibly save the password of the user in plaintext in the DB, when they create a user account. See: stackoverflow.com/questions/44109/…
There is no point in trying to protect that password.
Any token in that file that can be used to access the database can be used by anyone else to access the database. That's how shared secret security works. Replace the password by a randomly generated token, and you still have to communicate that token to settings.py, for example.
Your better bet is to restrict what computers can connect to your MySQL database using that username and password, adding an additional layer of security. Oh, and making sure no one can access settings.py by securing your webserver and source control systems properly.
157
Another thing you could do is not to store your password/token in your settings.py, it is a bad practice for security, instead of that, you should create an environment variable in the user that runs your app let's say:
export MYSQL_PASSWORD=1234
And read it from your django app as follows
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.mysql', # Add 'postgresql_psycopg2', 'mysql', 'sqlite3' or 'oracle'.
'NAME': 'blogengine', # Or path to database file if using sqlite3.
# The following settings are not used with sqlite3:
'USER': 'blogadmin',
'PASSWORD': os.getenv('MYSQL_PASSWORD'),
'HOST': 'localhost', # Empty for localhost through domain sockets or '127.0.0.1' for localhost through TCP.
'PORT': '3306', # Set to empty string for default.
}
}
You should do this for all your "sensible data" like EMAIL_HOST_PASSWORD, AWS tokens and secrets and that kind of stuff, this way you separate the configuration from the environment and you don't have to change those parameters in your testing server or local environment, you just have to ensure that your environment variables are the same but points to the correct location according to your environment.
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
