How not to store plaintext passwords?
October 8, 2009 9:56 AM Subscribe
Best practices for storing OracleDB/mysql/ldap/smtp/etc... system passwords for enterprise application integration use?
posted by bottlebrushtree to Computers & Internet (9 answers total) 2 users marked this as a favorite
I'm working with a vendor who currently is storing passwords in plain text in configuration files.
If you've ever configured Wordpress you are familiar with how your mysql password gets placed in plain text in the wp-config.php file.
This vendor is doing a similar thing for mysql, ldap, smtp, etc...
This has made some people uncomfortable.
I'd like some suggestions for best practices to minimize the use of passwords in plaintext (or trivially encoded text) in text configuration files.
These passwords are being used to drive external databases, ldap auth, smtp sending, etc...
Their Java / Tomcat application is expected to be running 24/7 as a Server. This particular instance will be on Windows Server 2003 though Linux is also supported.
It would be nice if it would be possible to have unattended restarting of the application without a user having to enter in a master password, but if that is the only solution we may be comfortable with it.
The application uses LDAP to authenticate users (and hence has the LDAP system password in a configuration file)
The application stores its data in a SQL database (Oracle in this case, though they also support mysql. We have to stay on Oracle)
The application sends mail using SMTP