[Melbourne-pm] Obfuscating passwords in configurations
toby.corkindale at strategicdata.com.au
Thu Dec 2 16:17:13 PST 2010
On 02/12/10 01:36, Sam Watkins wrote:
> On Wed, Dec 01, 2010 at 09:29:10PM +1100, Leigh Sharpe wrote:
>> Hi All,
>> I'm using Config::Simple to retrieve configuration options from an external file. One of the configuration options is a password, but I'm really not keen on having a password in plain-text in a config file. Just setting the config file to be non-world-readable isn't really adequate. Can anybody suggest a way of obfuscating the password in the config file, and being able to retrieve it in my program?
> Ok, I was silly enough to implement some sort of password encryption /
> decryption thing in perl. It uses a 20-byte secret, which shouldn't go in the
> same config file, random salt, sha1, XOR and base64 encoding. I think this
> would deter casual inspection at least, and it would be extremely hard to break
> without the secret... unless I've made some stupid mistake!
Well, the script you link 404s when I try to download it..
> A limitation is that the password may not be more than 20 characters long.
> One might encrypt longer passwords in< 20 character sections.
> You could use this or similar to send encrypted passwords to users, e.g. in a
> web cookie, keeping the secret hidden from them on a server.
> I guess this is probably overkill for your needs.
I recommend that people use established crypto libraries when they need
crypto. It's harder to get this stuff right than you might think.. and
these other libraries have *already been written*, so you can be lazy
AND secure at the same time! :D
However for the case in question - encrypting passwords in config files
- can I just point out:
What's to stop an attacker editing your Perl program, finding a point
after the config is loaded and decrypted, and just inserting:
say "The decrypted password is: " . $self->config->password;
More information about the Melbourne-pm