[Melbourne-pm] Obfuscating passwords in configurations

[Toby Corkindale]

On 02/12/10 01:36, Sam Watkins wrote:
> On Wed, Dec 01, 2010 at 09:29:10PM +1100, Leigh Sharpe wrote:
>> Hi All,
>>   I'm using Config::Simple to retrieve configuration options from an external file. One of the configuration options is a password, but I'm really not keen on having a password in plain-text in a config file. Just setting the config file to be non-world-readable isn't really adequate. Can anybody suggest a way of obfuscating the password in the config file, and being able to retrieve it in my program?
>
>
> Ok, I was silly enough to implement some sort of password encryption /
> decryption thing in perl.  It uses a 20-byte secret, which shouldn't go in the
> same config file, random salt, sha1, XOR and base64 encoding.  I think this
> would deter casual inspection at least, and it would be extremely hard to break
> without the secret... unless I've made some stupid mistake!

Well, the script you link 404s when I try to download it..

> A limitation is that the password may not be more than 20 characters long.
> One might encrypt longer passwords in<  20 character sections.
>
> You could use this or similar to send encrypted passwords to users, e.g. in a
> web cookie, keeping the secret hidden from them on a server.
>
>    http://sam.ai.ki/secret.pl
>
> I guess this is probably overkill for your needs.

I recommend that people use established crypto libraries when they need 
crypto. It's harder to get this stuff right than you might think.. and 
these other libraries have *already been written*, so you can be lazy 
AND secure at the same time! :D

For eg:
Crypt::OpenSSL::RSA
Crypt::CBC



However for the case in question - encrypting passwords in config files 
- can I just point out:
What's to stop an attacker editing your Perl program, finding a point 
after the config is loaded and decrypted, and just inserting:

say "The decrypted password is: " . $self->config->password;


Toby