[Engine-devel] Dropping encryption of database password

Josh Bressers bressers at redhat.com
Wed May 1 18:13:24 UTC 2013


> > 
> > > > 
> > > > In another words you are for storing password as plain text.... :)
> > > 
> > > If the file is protected , I don't mind that the password is in plain
> > > text...
> > > 
> > 
> > Hi all,
> 
> Hello,
>  
> > Itamar pointed me at this thread. I'm part of the Red Hat Product Security
> > Team, we exist to help various projects and products with security needs
> > (such as advice in this instance).
> > 
> > I can't really comment on this without understanding some of the background
> > (sorry for not being up to speed, I don't have time to research this
> > today and I'm away tomorrow so my replies may be slow).
> > 
> > Can you explain to me what the passwords in question are used for?
> 
> The password of the user used to access the database.
> 

Ahh, so the subject is quite literal.

So in an instance like this it's not uncommon to store this password as
plaintext in a file. The important part is then to ensure that the file is
protected and can only be accessed on a need-to-know basis.

Using various scrambling techniques don't really provide any additional
security. Some claim it makes things worse as it provides a false sense of
security.

I would suggest you make a note about what processes and users can view or
modify this file and for what reasons. This should help identify things in
the future that should or shouldn't have this level of access.

Let me know if you have any questions.

Thanks.

-- 
Josh Bressers / Red Hat Product Security Team



More information about the Engine-devel mailing list