Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Secure plain text passwords in configuration

Tags:

java

security

In web applications you have to store somewhere passwords used to for example connect to a database. This is mostly done in a configuration file in plain text.

I've been searching to make this more secure and saw Jasypt (www.jasypt.org) which makes it possible to encrypt these passwords. But you still need a key to decrypt these, which just moves the problem. Then I moved this key to a system environment variable so it's at least outside of the application. But I still think this doesn't really change a lot?

How do other people solve this problem?

like image 850
Nathan Q Avatar asked Aug 01 '14 07:08

Nathan Q


People also ask

Are plain text passwords secure?

A plain text password (or Plaintext, or Plain-text) is a way of writing (and sending) a password in a clear, readable format. Such password is not encrypted and can be easily read by other humans and machines.

Is it safe to store passwords in config file?

Failure frequently compromises all data that should have been protected.

Do password managers store passwords in plaintext?

Password managers encrypt your credentials and store them only in an encrypted form. This means that even in the case of major data breach, the hacker would get only the encrypted blobs useless without your master password.


1 Answers

Don't store production passwords in a config file inside your source code.

This would make any person with access to the code an admin de facto. Environment variables set on the production server are a good way to go. You can have the app retreive the value from there, and have different values for different environments (dev, test, live). This allows for instance sysadmin to know the production passwords (they have access anyway, it's their jobs), without requiring the developers to know them.

Works pretty well in my experience.

like image 191
Martin Avatar answered Oct 27 '22 05:10

Martin