Is it okay that database credentials are stored in plain text?_问答_开发者

Is it okay that database credentials are stored in plain text?

开发者 https://www.devze.com 2023-01-12 19:28 出处：网络

By default, the Django database host/user/password are stored in the project settings.py file in plain text.

I can't seem to think of a better way at the moment, but this seems to be against best practices for password storage. Granted, if an atta开发者_运维问答cker has access to the settings file, then all is probably already lost. Even if the the file were encrypted, the attacker would probably have the means to decrypt it by then.

Is this okay?

You are correct that storing passwords in plaintext and in a settings.py file is not good security. You could increase security by:

Setting the permissions correctly (this will depend on your set up). Ideally only python should be able to read the file.
Storing the file out of the www or htdocs root. If at this point an attacker still has access to them, you are screwed anyways.
For added security, you can encrypt the connection settings using symmetric encryption (eg: AES). Store the key somewhere else. So even if someone managed to access the connection settings, they'd still need to find the key. The main drawback is that now you have to rewrite the connection method.

The Twelve-Factor App codified by Heroku recommends

strict separation of config from code.

This is particularly important for management of credentials, which ideally should never be committed to source control.

The django-environ library gives a nice approach to pulling most environment-specific configuration out of the settings.py file, but you could go a long way by just referencing the most sensitive bits with the standard os library, e.g. 'PASSWORD': os.environ['DBPASS']

Of course, you probably will still store some passwords in plain text somewhere, but if that file is not embedded in your codebase, it's far less likely to be leaked.

Yes, it's standard procedure for any database communicating program. There really isn't a "better way" to do it.

There are ways to help prevent invalid hosts from connecting (ip tables, private ip addresses), but the actual connection details are almost always plain text.

Storing the file outside of the web root will help some, but if the attacker has access to the file system it won't matter.