[Melbourne-pm] Obfuscating passwords in configurations
shlomif at iglu.org.il
Wed Dec 1 06:50:49 PST 2010
On Wednesday 01 December 2010 12:29:10 Leigh Sharpe wrote:
> Hi All,
> I'm using Config::Simple to retrieve configuration options from an
> external file. One of the configuration options is a password, but I'm
> really not keen on having a password in plain-text in a config file. Just
> setting the config file to be non-world-readable isn't really adequate.
> Can anybody suggest a way of obfuscating the password in the config file,
> and being able to retrieve it in my program?
First of all read this:
(sorry for the broken URL.)
Reading from it:
Another lesson is about security by obscurity. Some fetchmail users asked me
to change the software to store passwords encrypted in the rc file, so
snoopers wouldn't be able to casually see them.
I didn't do it, because this doesn't actually add protection. Anyone who's
acquired permissions to read your rc file will be able to run fetchmail as you
anyway—and if it's your password they're after, they'd be able to rip the
necessary decoder out of the fetchmail code itself to get it.
All .fetchmailrc password encryption would have done is give a false sense of
security to people who don't think very hard. The general rule here is:
17. A security system is only as secure as its secret. Beware of pseudo-
Now if that's still what you want, you can have the password encyrpted with a
key before being stored in the configuration file and then decrypted upon
loading. You can do it with the bitwise xor operator ("^") with a long enough
key, or perhaps use something like http://search.cpan.org/dist/Crypt-Blowfish/
. Either way, people who have access to your source code will be able to tell
what your password is.
Shlomi Fish http://www.shlomifish.org/
My Aphorisms - http://www.shlomifish.org/humour.html
<rindolf> She's a hot chick. But she smokes.
<go|dfish> She can smoke as long as she's smokin'.
Please reply to list if it's a mailing list post - http://shlom.in/reply .
More information about the Melbourne-pm