In web applications you have to store somewhere passwords used to for example connect to a database. This is mostly done in a configuration file in plain text.
I've been searching to make this more secure and saw Jasypt (www.jasypt.org) which makes it possible to encrypt these passwords. But you still need a key to decrypt these, which just moves the problem. Then I moved this key to a system environment variable so it's at least outside of the application. But I still think this doesn't really change a lot?
How do other people solve this problem?
A plain text password (or Plaintext, or Plain-text) is a way of writing (and sending) a password in a clear, readable format. Such password is not encrypted and can be easily read by other humans and machines.
Failure frequently compromises all data that should have been protected.
Password managers encrypt your credentials and store them only in an encrypted form. This means that even in the case of major data breach, the hacker would get only the encrypted blobs useless without your master password.
Don't store production passwords in a config file inside your source code.
This would make any person with access to the code an admin de facto. Environment variables set on the production server are a good way to go. You can have the app retreive the value from there, and have different values for different environments (dev, test, live). This allows for instance sysadmin to know the production passwords (they have access anyway, it's their jobs), without requiring the developers to know them.
Works pretty well in my experience.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With