[Melbourne-pm] Obfuscating passwords in configurations

Shlomi Fish shlomif at iglu.org.il
Wed Dec 1 06:50:49 PST 2010

On Wednesday 01 December 2010 12:29:10 Leigh Sharpe wrote:
> Hi All,
>  I'm using Config::Simple to retrieve configuration options from an
> external file. One of the configuration options is a password, but I'm
> really not keen on having a password in plain-text in a config file. Just
> setting the config file to be non-world-readable isn't really adequate.
> Can anybody suggest a way of obfuscating the password in the config file,
> and being able to retrieve it in my program?

First of all read this:


(sorry for the broken URL.)

Reading from it:

Another lesson is about security by obscurity. Some fetchmail users asked me 
to change the software to store passwords encrypted in the rc file, so 
snoopers wouldn't be able to casually see them.

I didn't do it, because this doesn't actually add protection. Anyone who's 
acquired permissions to read your rc file will be able to run fetchmail as you 
anyway—and if it's your password they're after, they'd be able to rip the 
necessary decoder out of the fetchmail code itself to get it.

All .fetchmailrc password encryption would have done is give a false sense of 
security to people who don't think very hard. The general rule here is:

    17. A security system is only as secure as its secret. Beware of pseudo-

Now if that's still what you want, you can have the password encyrpted with a 
key before being stored in the configuration file and then decrypted upon 
loading. You can do it with the bitwise xor operator ("^") with a long enough 
key, or perhaps use something like http://search.cpan.org/dist/Crypt-Blowfish/ 
. Either way, people who have access to your source code will be able to tell 
what your password is.


	Shlomi Fish

Shlomi Fish       http://www.shlomifish.org/
My Aphorisms - http://www.shlomifish.org/humour.html

<rindolf> She's a hot chick. But she smokes.
<go|dfish> She can smoke as long as she's smokin'.

Please reply to list if it's a mailing list post - http://shlom.in/reply .

More information about the Melbourne-pm mailing list