On Windows, another option you might look at is storing the password in DPAPI. "It's turtles all the way down" is not an acceptable response. The main thing to watch out for with the configuration file, is to make sure it is stored outside of your web root and that its file permissions are locked down appropriately.Įncrypting the password that's stored in the configuration file doesn't help, because now where do you store the decryption key? You've just shifted the problem around. The choices are: have a user enter in the password at boot time (this is bad, because if your server gets rebooted, now the server is unreachable until a person can physically walk up to the server and enter the password) hardcode the password into the source code of the server code (this is much worse than putting it in a configuration file) or store the password in a configuration file (the least bad of all options). Storing the password in a configuration file stored in a suitable location is probably making the best of a set of poor choices. If you are running a server that needs a password for access to some remote service, then there's no good solution. This way, should the improbable happen (access to key), you can take corrective action. Regardless of whether preventative or detective controls are used, enabling some auditing functions is a must along with review of audit logs. Separating key files could simplify the overall architecture and implementation of controls. Preventative controls are more difficult while detective controls are generally easier to implement. If anything, a good approach is to implement multiple layers of controls. In those instances, perhaps additional measures such as encoding adds some additional value relative to the cost of complexity. However, you can use simple "keys" (more like passwords) as input to a key expansion function. You can always encode/encrypt the key, but such methods doesn't deter someone that's smart enough to take a screen shot. ![]() An encryption key is usually seen as an alphanumeric string that's hard to commit to to memory. There's only a limited number of ways to protect the key. Should the encryption keys for password be human readable? It depends. how does one change the key without rebuilding/recompiling the binary?). require a separate function (perhaps with auditing) when to decode the password, but that increases the complexity for the developer and admin (i.e. You can encode/encrypt the hard coded password (i.e. Careful encoding of password can easily be detected by running a "strings" against the binary. Hard coding the key may be fine if you limit access to the binary. Similarly, you can implement auditing for access to the key file, which you can use to correlate back to events that require use of key. For example, you can use access control to limit access to the key file but still maintain a more open ACL for the config file. Well, separating the encryption key in another file increases the difficulty for someone to view the key. How to deal with the fact that a key has to be hard coded or stored in another file. Encrypting the password is much safer, but that requires additional complexity. Encoding the password would reduce the chance that it's leaked in the event someone scrolls through the file, say with a vendor support rep watching. If you have to store password in a config file, I'd recommend at least encoding the password where possible. To get to your questions, here's my take: Any other access request (successful or not) to the key file could indicate abnormal activity. You can correlate events (such as restarting of server/service) with access to the key file. For example, you can audit access to a file that contains the key. already posted, you can layer detective controls to improve the security posture. Without getting into the details or reiterating what D.W. ![]() There are many different ways to protect the key. The other approaches to preventative controls would likely use encryption. ![]() Base32/64 encoding is a simple way of protecting passwords that do not require additional logic to be built/maintained. Such an approach just increases the difficulty of memorizing the random sequence of numbers as well as the method that should be used to decode the string. This approach is meant to protect the password from accidental sharing (a b32 encoding would produce less meaningful characters (b32 produces longer string than b64). Preventative controls include encryption but you could also encode the password to make it less obvious. Perhaps taking one step back and comparing benefits of preventative and detective controls might help. So the following was a bit too long for a comment.
0 Comments
Leave a Reply. |