Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Re^2: encrypt passwords

by fionbarr (Friar)
on Apr 17, 2015 at 13:24 UTC ( [id://1123758]=note: print w/replies, xml ) Need Help??


in reply to Re: encrypt passwords
in thread encrypt passwords

I have a list of hashes:
@LoH = ( { database => 'PQxxxxLD', hostname => 'wpx0z051xsi.xxxx.com', servicename => 'pqospxxxbld.xxxx.com', port => '9010', username => 'username', password => 'password', } env => 'prod', )
This data is stored in a Perl module. There will be perhaps 100 databases. The program is run vi a cron file and there is no user action so the vulnerablity is only through the info stored in the program code. I'm thinking of having two columns in a protected table where one column is the plain-text key and the other column is the actual password

Replies are listed 'Best First'.
Re^3: encrypt passwords
by CountZero (Bishop) on Apr 17, 2015 at 13:58 UTC
    I don't think it is a good idea to store the passwords in a Perl module, unless you can be very sure that only authorized people can get access to this module. And if you are certain no "black hats" can have ever have access then encrypting the passwords does not serve any additional purpose.

    Personally I think it is more secure to store the passwords in a separate data-base with access to this database only granted to the particular cron-process that runs your script(s).

    CountZero

    A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James

    My blog: Imperial Deltronics

      An alternative that's maybe a little simpler depending on the use case is to store them in a local file that only the process that needs them has read permissions for. It's probably still worth putting some encryption on it to prevent accidental viewing in case permissions get messed up, but it will be useless against an actual attacker, who would probably get access to the perl code, too.

        store them in a local file that only the process that needs them has read permissions for
        That is not a bad idea but it may get messy if you have to update the file: either you give more users access to the file or you must switch to become the user that has sole access or --horror-- you become root to access the file, a sure way to mess things up badly.

        Most databases allow fine-grained access levels to the data: reading, writing, deleting, updating, ... all or some can be given or not to specific users.

        For man years I run a claims database that once was acccessible through a web-page. The webserver only had a read access to the main data-tables, but could add/update/delete records in tables that stored comments. I never had any corruption of the main data tables, but regularly had to "clean" the tables holding the comments.

        As the OP already has a database-server running, it will be no big effort to add a small table with the password data.

        CountZero

        A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James

        My blog: Imperial Deltronics

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://1123758]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others examining the Monastery: (6)
As of 2024-03-28 23:23 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found