I am authoring a web application that connects (via DBD::ODBC) to an external SQL-Server database. By external, I mean not on the same subnet. This connection requires authentication, since no anonymous or guest access is allowed by the SQL Server (a good thing).

What I'm running up against is a pair of conflicting policies that result from stupidity in system architecture (over which I have no control). Because of settings I cannot change, and the admins will not change, integrated authentication to the SQL server will not work. All well and good, as I have been given a SQL Server login -- I just have to supply the username and password via the DBI->connect() construct. Even the fact that the password is in the clear is OK, because the link is over an IPSec-protected connection and so encrypted.

However, it is against policy to store a password in clear text in the registry, config files, or code. Packing with PAR doesn't exempt me, as the policy specificially names source code. So, I have to use a SQL ID because of one policy, but I can't store it in the clear because of another. I've already tried to get one of these policies excepted for this app, but no luck.

I have been stumped -- I pray my fellow monks can give me ideas as to how to approach storing a password in a secure way, without storing keys or passwords in the clear, and without requiring user interaction. It seems like an impossible task, but then it might just be my frustration.

Thank you in advance for any insights provided.

Update: Thanks to kutsu and graff for ideas that combined for my solution. I used Data::UUID to generate a "SID" (not really, but close enough) for my app which is used as a key to decrypt the password from a registry entry (using Win32::TieRegistry, Crypt::CBC as an interface to Crypt::Blowfish). SIDs are exempt from the key-storage rule for obvious reasons, thanks to graff for getting me thinking along those lines.

The Eightfold Path: 'use warnings;', 'use strict;', 'use diagnostics;', perltidy, CGI or CGI::Simple, try the CPAN first, big modules and small scripts, test first.

In reply to Security: balancing two conflicting password policies by radiantmatrix

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.