Re: Store database password
- From: gordonb.vnyju@xxxxxxxxxxx (Gordon Burditt)
- Date: Thu, 12 May 2005 20:14:52 -0000
>We have a dilemma. We are storing our database password in an include
>file that resides outside of the web root. The password is in plain
>text. So, no one can get that password because it can't be served up
>by the web server. So far, so good.
>
>The customer wants all of our passwords encrypted. So, how do I go
>about securely encrypting that password? If I use mcrypt, I have to
>store a key and an IV somewhere...and if those are in clear text, I
>might as well just store the password in clear text. That is to say, I
>could encrypt the password with a given key and IV, and then hard code
>that key and IV into my app and put the encrypted password into the
>database. But, there's really no security in that.
You have to store <something> that will get you into the database.
Whatever that <something> is, it might as well be in plain text,
since by definition it gets you into the database, although you can
divide it up and scatter pieces of it around (which is security by
obscurity, which generally means not much security). If you further
encrypt, then the key to decrypt becomes part of the <something>
that HAS to be there to access the database.
Essentially, you're screwed, although some of the "security by
obscurity" techniques aren't 100% useless (having to calculate the
real password is a LITTLE harder than having it around in a file
somewhere).
Gordon L. Burditt
.
- Follow-Ups:
- Re: Store database password
- From: dracolytch
- Re: Store database password
- References:
- Store database password
- From: Pat A
- Store database password
- Prev by Date: Re: Variable variables in function
- Next by Date: Re: Store database password
- Previous by thread: Store database password
- Next by thread: Re: Store database password
- Index(es):
Relevant Pages
|
