[OWASP-Security101] Security101 Digest, Vol 3, Issue 1

Thomas Stiehm thomas.stiehm at gmail.com
Sun Apr 8 21:24:45 UTC 2012


If you are going to store a password in a config file it has to be
encrypted text vs. a hash because you have to be able to unencrypt it to
use it. Depending on what you are doing and why, there are options to keep
the password in a keystore or some similar construct.

You could also require manual restarts and force an admin or operator to
enter the password on startup. There are encryption schemes that can allow
a subset of key holders in order to restart the system, something like you
need 3 of 5 people or 4 of 6 people to restart the system.
 If you want to maintain key accountability.

I think the real question is what does your system do and how much security
needs to be built into it.

You a correct that if you have a password in a config file then that
password can be analyzed and the encryption might be cracked. Bear in mind
that the config file needs to be captured in some way to be analyzed and it
should be fairly easy to change the password if the config file is
compromised.

Tom

On Wednesday, April 4, 2012, wrote:

>
>
> Message: 1
> Date: Tue, 3 Apr 2012 21:57:49 +0800
> From: Wei Chea Ang <weichea at gmail.com <javascript:;>>
> To: security101 at lists.owasp.org <javascript:;>
> Subject: [OWASP-Security101] Storing of password in application config
>        file
> Message-ID:
>        <CAPNymSc-7eiH2AerTgDARafV3RTjqkCNg5rPOcGgPr==7vc+cQ at mail.gmail.com<javascript:;>
> >
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi all,
>
> What is the recommended way of storing password in an application config
> file?
>
> Is it recommended to store the hash value or the encrypted value of
> the password?
>
> Will application be vulnerable to pass the hash attack if application
> authenticate by comparing the hash value?
>
> Thank you.
>
>
> --
> Best Regards,
> Wei Chea
>
>
> ------------------------------
>
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org <javascript:;>
> https://lists.owasp.org/mailman/listinfo/security101
>
>
> End of Security101 Digest, Vol 3, Issue 1
> *****************************************
>


More information about the Security101 mailing list