Hosting Provided By

Re: Generic User password management

From: Ed Tracy (at) Aspect Security <(at)>
Date: Mon Jan 27 2003 - 15:14:22 EST

Augusto,

Just a bit of a discussion we have had at Aspect on this topic:

It's nice to keep these sorts of passwords in properties files and not the code so as to provide portability and object-oriented coding. However, this puts the passwords out in a text file that is very easy to read. This creates a higher risk that the passwords are discovered/stolen.
A dratstic improvement is to encrypt this properties file on disk. Store the key and algorithm in the code. Stronger security can be gained by dividing the key into pieces. Store half in the code and half on disk. Not only do you gain obscurity, but also the additional protection mechanisms that can be placed on the file (only the app should have read perms). Decrypt the properties file into memory during system-init and keep the properties in memory only.

-Ed

Augusto Paes de Barros wrote:

>I'm developing a information security architecture for my company and I
management.
>I would love to hear how others are dealing with it. How do people
deal with
>passwords inside executable files, text configuration files, registry

--
*Ed Tracy, Security Engineer*
ed.tracy@aspectsecurity.com

(443) 745-6270 (work)
(301) 604-4882 (main)
(781) 240-7886 (fax)

Do you need help?

*Aspect Security, Inc.*
"Securing the Last Mile of the Internet" 9175 Guilford Road, Suite 300, Columbia MD 21046 www.aspectsecurity.com Received on Mon Jan 27 15:51:44 2003

This message: [ Message body ]
Next message: naka: "PL/SQL web application"
Previous message: Ivan Ristic: "[ANNOUNCEMENT] mod_security 1.4 released"
In reply to Augusto Paes de Barros: "Generic User password management"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:48 EDT