Where do you store database passwords?

Question

What are ways of getting database and other service passwords out of your code? I've read about using per server properties files but when you have a large number of servers it gets to hard to maintain. I've also seen a solution using a CI's build process to "inject" passwords but that makes it difficult to update the password on-the-fly.

Some requirements to help narrow the field of answers...

1. The password should be easy to change and propagate in the event of a security breach.
2. Password can not appear in code (due to point 1)
3. It should be "non trivial" for a human to get a plain-text version of the password
4. Should work well in the web application and stand alone applications
5. Easy to adopt from a application developer standpoint

Some nice-to-haves include not introducing a single point of failure, a quick development time, and easy to understand.

This is similar in spirit to this question but with an strong emphasis on maintainability and focuses more on the server side case.

Answer 1

You could store it in plain text in a file in a protected directory that can only be read by the account in which the application is run. In case of a web application, you should always store the password outside the web root folder.

Answer 2

If you use a database connection pool then the username, password and other database details are generally managed in the Java Web Container and presented to the Java code as a Datasource. You just ask for a Database connection without having to know any of these details.