Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses

Re^3: Keeping a password safe.

by aaron_baugher (Curate)
on Jun 10, 2012 at 03:25 UTC ( #975362=note: print w/replies, xml ) Need Help??

in reply to Re^2: Keeping a password safe.
in thread Keeping a password safe.

Here's the problem: there's no such thing as "stored in such a way that the password is secure." If your program can get at the password and use it without need for any manual input, then anyone who gains access to your program can do the same. You can do a certain amount of obfuscation so no one will stumble across the password accidentally, but that's not actual security, and it won't stop a determined invader. You could run the password through six kinds of reversible encryption, chop the result up into individual bytes, and hide each byte into a different spot in a JPEG image in a hidden directory; but if your program knows how to reverse the whole process and get the password, anyone who gains access to your program can do it too.

The same thing is true of SSH private keys, by the way. They're better because they avoid sending passwords across the network, not because their local storage is any more inherently secure. (SSH keys can be protected by requiring a typed-in passphrase, but presumably you don't want to require human input every time you run this script.)

So the place to worry about security is not within your application or how it stores its passwords, but in how secure your system is at the network, user, and physical level. If the system is on a network, then network security is necessary to make sure no one can get at your application and private data that way. If there are other users on your system, you have to make sure those users don't have access to your files. If they can't read your password file, it really doesn't matter whether your password is cleartext or obfuscated. At the physical level, if other people use your computer, you may need to take steps to make sure they can't access your program from the console, even by rebooting.

Take care of those levels of security, and you'll have nothing to worry about. Ignore them, and your passwords won't be secure, no matter how you store them.

Aaron B.
Available for small or large Perl jobs; see my home node.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://975362]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (9)
As of 2018-06-18 14:05 GMT
Find Nodes?
    Voting Booth?
    Should cpanminus be part of the standard Perl release?

    Results (110 votes). Check out past polls.