Re^2: encrypt passwords

I have a list of hashes:

@LoH = (
                {
                     database        => 'PQxxxxLD',
                     hostname        => 'wpx0z051xsi.xxxx.com',
                     servicename     => 'pqospxxxbld.xxxx.com',
                     port            => '9010',
                     username        => 'username',
                     password        => 'password',
             }    env             => 'prod',
    )
[download]

This data is stored in a Perl module. There will be perhaps 100 databases. The program is run vi a cron file and there is no user action so the vulnerablity is only through the info stored in the program code. I'm thinking of having two columns in a protected table where one column is the plain-text key and the other column is the actual password

Comment on Re^2: encrypt passwords Download Code

Replies are listed 'Best First'.
Re^3: encrypt passwords by CountZero (Bishop) on Apr 17, 2015 at 13:58 UTC
I don't think it is a good idea to store the passwords in a Perl module, unless you can be very sure that only authorized people can get access to this module. And if you are certain no "black hats" can have ever have access then encrypting the passwords does not serve any additional purpose. Personally I think it is more secure to store the passwords in a separate data-base with access to this database only granted to the particular cron-process that runs your script(s). CountZero A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James My blog: Imperial Deltronics	[reply]
Re^4: encrypt passwords by bitingduck (Deacon) on Apr 17, 2015 at 16:25 UTC
An alternative that's maybe a little simpler depending on the use case is to store them in a local file that only the process that needs them has read permissions for. It's probably still worth putting some encryption on it to prevent accidental viewing in case permissions get messed up, but it will be useless against an actual attacker, who would probably get access to the perl code, too.	[reply]
Re^5: encrypt passwords by CountZero (Bishop) on Apr 17, 2015 at 19:12 UTC
store them in a local file that only the process that needs them has read permissions for That is not a bad idea but it may get messy if you have to update the file: either you give more users access to the file or you must switch to become the user that has sole access or --horror-- you become root to access the file, a sure way to mess things up badly. Most databases allow fine-grained access levels to the data: reading, writing, deleting, updating, ... all or some can be given or not to specific users. For man years I run a claims database that once was acccessible through a web-page. The webserver only had a read access to the main data-tables, but could add/update/delete records in tables that stored comments. I never had any corruption of the main data tables, but regularly had to "clean" the tables holding the comments. As the OP already has a database-server running, it will be no big effort to add a small table with the password data. CountZero A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James My blog: Imperial Deltronics	[reply]