473,573 Members | 2,780 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Store database password

We have a dilemma. We are storing our database password in an include
file that resides outside of the web root. The password is in plain
text. So, no one can get that password because it can't be served up
by the web server. So far, so good.

The customer wants all of our passwords encrypted. So, how do I go
about securely encrypting that password? If I use mcrypt, I have to
store a key and an IV somewhere...and if those are in clear text, I
might as well just store the password in clear text. That is to say, I
could encrypt the password with a given key and IV, and then hard code
that key and IV into my app and put the encrypted password into the
database. But, there's really no security in that.

Has anyone else done anything like this?

Thanks.

Pat

Jul 17 '05 #1
12 4894
>We have a dilemma. We are storing our database password in an include
file that resides outside of the web root. The password is in plain
text. So, no one can get that password because it can't be served up
by the web server. So far, so good.

The customer wants all of our passwords encrypted. So, how do I go
about securely encrypting that password? If I use mcrypt, I have to
store a key and an IV somewhere...and if those are in clear text, I
might as well just store the password in clear text. That is to say, I
could encrypt the password with a given key and IV, and then hard code
that key and IV into my app and put the encrypted password into the
database. But, there's really no security in that.


You have to store <something> that will get you into the database.

Whatever that <something> is, it might as well be in plain text,
since by definition it gets you into the database, although you can
divide it up and scatter pieces of it around (which is security by
obscurity, which generally means not much security). If you further
encrypt, then the key to decrypt becomes part of the <something>
that HAS to be there to access the database.

Essentially, you're screwed, although some of the "security by
obscurity" techniques aren't 100% useless (having to calculate the
real password is a LITTLE harder than having it around in a file
somewhere).

Gordon L. Burditt
Jul 17 '05 #2
I have bad news. There are ways you could obfuscate what you're doing,
but ultimately you are sending the database a cleartext password.
That's what it requires. This means that anyone who can look at your DB
interaction code will be able to decipher what your application
password is.

That is why you limit access to your web db user to the localhost (So
someone from outside can't use that username/password, even if you tell
it to them). Have a separate username/password for external DB access.
I also recommend that you limit the permissions on your web DB user so
it can't alter/create/drop/etc if your application doesn't require that
it do so.

You could MD5 / base64 encode some text into a password, and use that
text as your application password. When they ask, say that it's a MD5
hashed value. It is cleartext, but at least it's basically random
cleartext. It's slightly dishonest, but they've asked you to do the
impossible.

If you limit your db interaction user to the localhost (since it's the
webserver on the localhost accessing the db), and have your
username/password in a file somewhere, then the only way to get at your
username/password is to get into your system at a level where they can
read your source. If they can do that, it's too late.

~D

Jul 17 '05 #3
Pat A wrote:
We have a dilemma. We are storing our database password in an include
file that resides outside of the web root. The password is in plain
text. So, no one can get that password because it can't be served up
by the web server. So far, so good.

The customer wants all of our passwords encrypted. So, how do I go
about securely encrypting that password? If I use mcrypt, I have to
store a key and an IV somewhere...and if those are in clear text, I
might as well just store the password in clear text. That is to say, I
could encrypt the password with a given key and IV, and then hard code
that key and IV into my app and put the encrypted password into the
database. But, there's really no security in that.

Has anyone else done anything like this?


I went and purchased ionCube Encoder just for that reason. I didn't find
any other method that couldn't be cracked in less than a couple day's
time - by someone else of course. ;)

Of course, then there are some added benefits to using ionCube as well
that helped persuade my purchase. ;)

--
Justin Koivisto - ju****@koivi.co m
http://koivi.com
Jul 17 '05 #4
Justin Koivisto wrote:
Of course, then there are some added benefits to using ionCube as well
that helped persuade my purchase. ;)


Such as? By far the only reason people use ionCube is so that they can
get some vendor lockin by obfuscating the source code. That's nothing to
smile about.

Jul 17 '05 #5
Jason F. wrote:
Justin Koivisto wrote:
Of course, then there are some added benefits to using ionCube as well
that helped persuade my purchase. ;)


Such as? By far the only reason people use ionCube is so that they can
get some vendor lockin by obfuscating the source code. That's nothing to
smile about.


obfuscating? No, it's actually encryption...

There are handy features with the Pro version GUI (I think they renamed
it to Cerberus now) for packaging and distributing. I've also found that
in many cases, there is a performance boost, and the fact that I prevent
unauthorized files from including the encoded files helps me ensure that
correct version of the files have been shipped with the product.

Then there are what you would call the "vendor-locking" features like
limit script to run on certain IP (or MAC) address, server name,
expiration date, etc. Except for the encoding of the source, I don't use
and of those anyway. The biggest reason for the purchase was the fact
that I could encrypt my database connection details to be used on a
shared server where I had no control of the environment.

The fact that competitors that use the same server couldn't get the
source was just a plus to help me sell it to my supervisors. So again, ;)

--
Justin Koivisto - ju****@koivi.co m
http://koivi.com
Jul 17 '05 #6
Pat A (pw*******@gmai l.com) wrote:
: We have a dilemma. We are storing our database password in an include
: file that resides outside of the web root. The password is in plain
: text. So, no one can get that password because it can't be served up
: by the web server. So far, so good.

: The customer wants all of our passwords encrypted. So, how do I go
: about securely encrypting that password? If I use mcrypt, I have to
: store a key and an IV somewhere...and if those are in clear text, I
: might as well just store the password in clear text. That is to say, I
: could encrypt the password with a given key and IV, and then hard code
: that key and IV into my app and put the encrypted password into the
: database. But, there's really no security in that.

: Has anyone else done anything like this?

-1-

Require the user running the script to provide the password. Not good for
the general public, but is fine for a person like an administrator, or an
employee accessing a company's internal web.

-2-

Some databases have other forms of login support. Bascially the database
allows a login from specific userids, and leaves it upto the OS to control
access. In this case the userid that runs the database scripts would be
allowed access with out a password. As long as a person can't access that
OS account except through your controlled interface then they can't access
the database (except the way you want them to).

-3-
Require the customer to manually start some part of the process whenever
the server is restarted. For example an operator interactively enters the
password at the console during the startup. The password can then be
stored in memory somehow.

Of course this only works for places that have 7/24 operator support, or
don't mind being down some of the time.

Of course even then, the password can potentially be extracted from
memory.

$0.04
--

This space not for rent.
Jul 17 '05 #7
On Thu, 12 May 2005 13:01:37 -0700, Pat A wrote:
We have a dilemma. We are storing our database password in an include
file that resides outside of the web root. The password is in plain
text. So, no one can get that password because it can't be served up
by the web server. So far, so good.

The customer wants all of our passwords encrypted. So, how do I go
about securely encrypting that password? If I use mcrypt, I have to
store a key and an IV somewhere...and if those are in clear text, I
might as well just store the password in clear text. That is to say, I
could encrypt the password with a given key and IV, and then hard code
that key and IV into my app and put the encrypted password into the
database. But, there's really no security in that.


The only way to avoid storing the password on the server is for the user
to supply it on each request he/she makes to the application.

You could use the database's own authentication system to regulate access.

Start by having a low priveledged user name & password that has read only
access to the tables used to generate public content.

Then for each operator of the system create users with higher levels of
access.
Jul 17 '05 #8
Pat A wrote:
We have a dilemma. We are storing our database password in an include
file that resides outside of the web root. The password is in plain
text. So, no one can get that password because it can't be served up
by the web server. So far, so good.

The customer wants all of our passwords encrypted. So, how do I go
about securely encrypting that password? If I use mcrypt, I have to
store a key and an IV somewhere...and if those are in clear text, I
might as well just store the password in clear text. That is to say, I
could encrypt the password with a given key and IV, and then hard code
that key and IV into my app and put the encrypted password into the
database. But, there's really no security in that.

Has anyone else done anything like this?


OK, there is also another way to do this that I had mentioned in a few
groups a couple years back...

If the server is apache on *nix...

1. httpd.conf should be chown root.root, chmod 600

2. in the virtual host for your domain, use SetEnv to create variables
like SQL_HOST, SQL_PASS, SQL_USER, SQL_DB

3. in PHP, access these variables as $_SERVER['SQL_HOST'],
$_SERVER['SQL_PASS'], $_SERVER['SQL_USER'] and $_SERVER['SQL_DB']

Doing this ensures that only someone with root access can actually
see/edit the details in the file on the server. Putting the statements
in the VirtHost container ensures that only your domain requests have
those variables set to your values.

Of course, they would have to be stored in memory *somewhere*, so it's
always possible to get the details (just hard to do).

I don't know what other servers have these capabilities, but on IIS/PHP,
you can have different php.ini settings via registry edits, so you could
actually set up your database details through that. (Don't know if
unprivileged users could get registry values, but wouldn't surprise me.)

--
Justin Koivisto - ju****@koivi.co m
http://koivi.com
Jul 17 '05 #9
You didn't mention what database software and what OS. For MS
SQLServer, you can use the credential of the account running the web
server to authenticate instead of username/password. The same can
probably be done in other software/OS.

Jul 17 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
1811
by: Senthil Kannan | last post by:
Hi all, Currently i have a FORM_BASED Authentication of tomcat5.0 to store and retrieve passwords in my homepage.Now when i try to Store my password in a encrypted form i am having some problems,i am listing the problems here.do help me to fix this. when a new user signup to my homepage his datas are to be stored in database.while storing...
3
1760
by: faktujaa | last post by:
Hi, Currently im storing the connection info. in XML file on the C drive. the only problem with this is that anybody can open and check the database name. I know encryption can solve this problem but still im concerned whether this is the right place to store connection info as in earlier project that was in C++, we use to store the...
5
4499
by: Guadala Harry | last post by:
What are my options for *securely* storing/retrieving the ID and password used by an ASP.NET application for accessing a SQL Server (using SQL Server authentication)? Please note that this ID and password would be different than the one the user enters for ASP.NET forms authentication. The ID/password in question is used by the application,...
0
1783
by: Steve | last post by:
I am new to ASP security. I want to know what is the best way to store database password in ASP application? Or if there are any places to store in IIS? I tried to store the password in VB DLL file, but looks like when I open the DLL file, I can still see the plain text password. I looked at this tool http://www.aspencrypt.com but it is...
2
8170
by: mahesh.anjani | last post by:
hi i have stored my connction string in web.config as we do usually. code of web.confing is given below. check the password field contain "&" character. now when i run my application it gives error because value of ConnectionString is breaked at "&". So how to store value in web.config that contain "&" character, if any
8
2552
by: Merk | last post by:
I'm looking for a safe and maintainable way to store connection string info (connecting to SQL Server 2005 from .NET 2.0 Windows Forms client app); things like server name or IP address and database name. I need to provide the client application with this info for connecting to both a test SQL Server and a production server. I would prefer...
7
4262
by: monomaniac21 | last post by:
hi i have a php site which allows users to save a cookie on their computer which stores their user id details and allows them to auto- login. i'm wondering whether this is safe, is it possible for a malicious user to find that cookie and change its value and therefore auto-login as someone else? and if so how can this be prevented?
3
2106
by: eggie5 | last post by:
I'm looking for the best place to store a general password I use on my website. Short of hard coding it into one of my aspx.cs files, I'm trying to find a good place to store it. The only place I can think of is the web.config file. Can somebody give me some pointers on elegent ways to do this with asp.net?
7
3399
by: andyehi | last post by:
Hi Everyone, I am having a txt file config.txt on application start up path.I need to read that file line by line using a delimiter ; or , and store the values in a variable to connect to the database. Currently I am hardcoding the initial database connection. //code // Mysql database initialize and connection to Profile ...
0
7753
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
0
7676
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
0
7991
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
0
8045
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
0
6376
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
1
5567
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
5275
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
0
3714
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
0
1018
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.