Configured Passwords

Sensitive passwords

There’s obviously no way that somebody can interactively key in passwords every time an application server starts up. Therefore, database passwords and credentials needed to authenticate to other systems must be configured in persistent files somewhere. As soon as a password is in a text file, it is vulnerable. Any password that grants access to a database with customer information is worth thousands of dollars to an attacker and could cost the company thousands in bad publicity or extortion.

These passwords must be protected with the highest level of security achievable. At the absolute minimum, passwords to production databases should be kept separate from any other configuration files. They should especially be kept out of the installation directory for the software. For example, I’ve seen operations zip up the entire installation folder and ship it back to development for analysis during a support incident.

Owner access to passwords

Files containing passwords should be made readable only to the owner, which should be the application user. If the application is written in a language that can execute privilege separation, then it’s reasonable to have the application read the password files before downgrading its privileges. In that case, the password files can be owned by root. Password vaulting keeps passwords in encrypted files, which reduces the security problem to that of securing the single encryption key rather than securing multiple text files. This can assist in securing the passwords, but it is not, by itself, a complete solution. Because it’s easy to inadvertently change or overwrite file ...