While everyone else is adding the way they do it ... I'll add mine. I don't store the password absolutely anywhere. The database I use allows (mandates) OS authentication for the database. So I can have the user that apache is running under authorised for the database, and then I don't have any password to give.
This has some drawbacks, but I'm not sure that for web apps that it's any worse than other solutions - sure, a co-hosted CGI app may be able to connect to the db as well, but then a co-hosted CGI could also grab the password from wherever I put it (encrypted or not). At least because I don't have a password to steal, no one can use the database other than as a co-hosted CGI app. (And, of course, there are no CGI apps co-hosted on any of my servers that aren't written by me or someone I trust.)
PS - the web user only has as much authority as is needed, definitely not the authority to grant authority to other users.
In reply to Re: Best practices for database passwords
by Tanktalus
in thread Best practices for database passwords
by Miss Brain
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |