Keeping Passwords Embedded In Code Secure? 130
JPyObjC Dude asks: "When designing any system that requires automated privileged access to databases or services, developers often rely on hard coding (embedding) passwords within the source code. This is obviously a bad practice as the password is then made available to anybody who has access to the source code (eg. software source control). Putting the passwords in configuration files is another practice, but it is still quite insecure as cracking hashed passwords from a text file is a trivial exercise. What do you do to manage your application passwords so that your system can run completely automated and yet make it difficult for hackers to get their hands on this precious information?"
Passwords suck (Score:5, Informative)
Kerberos (Score:4, Informative)
Re:Public-key crypto? (Score:3, Informative)
In short, if a cracker has full access of a program or system and the system has access to the passwords (even if it does some fiddling around before revealing the passwords) then the cracker has full access to the passwords. There's no way to protect against that except by not allowing any access to the passwords (by just not posting the files that the passwords are in) or by not having the passwords in the program at all and having it so the user must type them in. Anything more are delaying tactics and do not give a high level of security, just some level of obfuscation...
Can't be done, no way, no how. (Score:5, Informative)
First, let me dispose of one issue:
It's much, much worse than that, because the password is also available to anybody who has access to the binary. "man strings".
Others have suggested various options, but absolutely none of them work.
The bottom line is: If the machine has all of the information needed to perform the authentication without human intervention, then an attacker who gains control of that machine has all of the information needed to perform the authentication. Period. No getting around it. The best you can do is limit the damage in the case where the attacker has only partial access.
What is that best? For a network-accessible machine, do the following:
That's a lot of work, and it's still not completely secure. Luckily, very little needs even that level of security. Oh, and there aren't any OSes available that make good use of a TPM yet, so it's not really possible.
For most systems, what I'd really recommend is: Put the auth credentials in plaintext in a config file and limit access to that file to the bare minimum. If you have Mandatory Access Controls (e.g. SELinux), configure them to allow only the server process to read that file. Then, lock the whole system down as tightly as possible (within existing constraints). Ensure that a bare minimum number of people have logins on the machine, and that they all have minimum permissions, firewall it as completely as possible, and keep it up to date on security patches. Finally, put it in a locked room and tightly control physical access to it.
Of course, even this reduced-security approach is too onerous in many cases, so you have to make compromises. That's where a good understanding of security and plenty of hard thinking about what compromises can be made come in.
There ain't no silver bullet.
Re:Can't be done, no way, no how. (Score:4, Informative)
Responding to myself... Uh oh.
It occurs to me that I may be answering the wrong question. If the assumption is that the attacker won't have access to the server, but may have access to the development team's source code, then the answer is simple: put the password in a config file that the developers don't have access to.
Re:You don't even need the source code (Score:3, Informative)