I work on a few apps in rails, django (and a little bit of php), and one of the things that I started doing in some of them is storing database and other passwords as environment variables rather than plain text in certain config files (or in settings.py, for django apps).
我在rails、django(还有一点php)中开发了一些应用程序,我在其中一些应用程序中开始做的一件事是将数据库和其他密码作为环境变量存储,而不是在某些配置文件(或在设置中)中存储纯文本。py,django应用程序)。
In discussing this with one of my collaborators, he suggested this is a poor practice - that perhaps this isn't as perfectly secure as it might at first seem.
在与我的一位合作者讨论这个问题时,他认为这是一个糟糕的做法——也许这并不像一开始看起来那么安全。
So, I would like to know - is this a secure practice? Is it more secure to store passwords as plain text in these files (making sure, of course, not to leave these files in public repos or anything)?
所以,我想知道——这是一种安全的做法吗?将密码作为纯文本存储在这些文件中是否更安全?
4 个解决方案
#1
26
On a more theoretical level, I tend to think about levels for security in the following ways (in order of increasing strength) :
在更理论化的层面上,我倾向于以以下方式来考虑安全级别(以增加强度为顺序):
- No security. Plain text. Anyone that knows where to look, can access the data.
- 没有安全。纯文本。任何知道去哪里看的人都可以访问这些数据。
- Security by Obfuscation. You store the data (plaintext) someplace tricky, like an environment variable, or in a file that is meant to look like a configuration file. An attacker will eventually figure out what's going on, or stumble across it.
- 模糊的安全。您将数据(明文)存储在某个棘手的地方,比如环境变量,或者存储在一个看起来像配置文件的文件中。攻击者最终会发现发生了什么,或者偶然发现了它。
- Security provided by encryption that is trivial to break, (think caesar cipher!).
- 加密提供的安全性是很容易被破坏的(想想凯撒密码!)
- Security provided by encryption that can be broken with some effort.
- 加密提供的安全性,可以通过一些努力加以破坏。
- Security provided by encryption that is impractical to break given current hardware.
- 加密提供的安全性,在给定当前硬件的情况下,这种安全性是不现实的。
- The most secure system is one that nobody can use! :)
- 最安全的系统是没有人可以使用的!:)
Environment variables are more secure than plaintext files, because they are volatile/disposable, not saved; i.e. if you set only a local environment variable, like "set pwd=whatever," and then run the script, with something that exits your command shell at the end of the script, then the variable no longer exists. Your case falls into the first two, which I'd say is fairly insecure. If you were going to do this, I wouldn't recommend deploying outside your immediate intranet/home network, and then only for testing purposes.
环境变量比纯文本文件更安全,因为它们是可变的/可丢弃的,而不是保存的;例如,如果您只设置了一个本地环境变量,如“set pwd=whatever”,然后运行脚本,在脚本末尾有一些东西退出命令shell,那么该变量就不存在了。你的情况属于前两种情况,我认为这是相当不安全的。如果您打算这样做,我不建议在您当前的内部网/家庭网络之外部署,然后只用于测试目的。
#2
42
As mentioned before, both methods do not provide any layer of additional "security" once your system is compromised. I believe that one of the strongest reasons to favor environment variables is version control: I've seen way too many database configurations etc. being accidentially stored in the version control system like GIT for every other developer to see (and whoops! it happened to me as well ...).
如前所述,当您的系统受到破坏时,这两个方法都不提供任何附加的“安全”层。我认为支持环境变量的最主要原因之一是版本控制:我看到太多的数据库配置等等意外地存储在版本控制系统中,比如GIT,让其他开发人员都能看到(哎呀!)这件事也发生在我身上……
Not storing your passwords in files makes it impossible for them to be stored in the version control system.
如果不将密码存储在文件中,就不可能将它们存储在版本控制系统中。
#3
32
Anytime you have to store a password, it is insecure. Period. There's no way to store an un-encrypted password securely. Now which of environment variables vs. config files is more "secure" is perhaps debatable. IMHO, if your system is compromised, it doesn't really matter where it's stored, a diligent hacker can track it down.
当你需要存储密码时,它是不安全的。时期。无法安全地存储未加密的密码。现在,环境变量和配置文件中哪个更“安全”可能值得商榷。IMHO,如果你的系统被入侵了,存储在哪里并不重要,一个勤奋的黑客可以追踪它。
#4
18
Sorry I didn't have enough rep to comment, but I also wanted to add that if you're not careful, your shell might capture that password in it's command history as well. So running something like $ pwd=mypassword my_prog
manually isn't as ephemeral as you might have hoped.
对不起,我没有足够的代表进行评论,但我还想补充一点,如果您不小心,您的shell可能也会在它的命令历史中捕获该密码。因此,手动运行$ pwd= mywd密码my_prog之类的东西并不像您希望的那样短暂。
#1
26
On a more theoretical level, I tend to think about levels for security in the following ways (in order of increasing strength) :
在更理论化的层面上,我倾向于以以下方式来考虑安全级别(以增加强度为顺序):
- No security. Plain text. Anyone that knows where to look, can access the data.
- 没有安全。纯文本。任何知道去哪里看的人都可以访问这些数据。
- Security by Obfuscation. You store the data (plaintext) someplace tricky, like an environment variable, or in a file that is meant to look like a configuration file. An attacker will eventually figure out what's going on, or stumble across it.
- 模糊的安全。您将数据(明文)存储在某个棘手的地方,比如环境变量,或者存储在一个看起来像配置文件的文件中。攻击者最终会发现发生了什么,或者偶然发现了它。
- Security provided by encryption that is trivial to break, (think caesar cipher!).
- 加密提供的安全性是很容易被破坏的(想想凯撒密码!)
- Security provided by encryption that can be broken with some effort.
- 加密提供的安全性,可以通过一些努力加以破坏。
- Security provided by encryption that is impractical to break given current hardware.
- 加密提供的安全性,在给定当前硬件的情况下,这种安全性是不现实的。
- The most secure system is one that nobody can use! :)
- 最安全的系统是没有人可以使用的!:)
Environment variables are more secure than plaintext files, because they are volatile/disposable, not saved; i.e. if you set only a local environment variable, like "set pwd=whatever," and then run the script, with something that exits your command shell at the end of the script, then the variable no longer exists. Your case falls into the first two, which I'd say is fairly insecure. If you were going to do this, I wouldn't recommend deploying outside your immediate intranet/home network, and then only for testing purposes.
环境变量比纯文本文件更安全,因为它们是可变的/可丢弃的,而不是保存的;例如,如果您只设置了一个本地环境变量,如“set pwd=whatever”,然后运行脚本,在脚本末尾有一些东西退出命令shell,那么该变量就不存在了。你的情况属于前两种情况,我认为这是相当不安全的。如果您打算这样做,我不建议在您当前的内部网/家庭网络之外部署,然后只用于测试目的。
#2
42
As mentioned before, both methods do not provide any layer of additional "security" once your system is compromised. I believe that one of the strongest reasons to favor environment variables is version control: I've seen way too many database configurations etc. being accidentially stored in the version control system like GIT for every other developer to see (and whoops! it happened to me as well ...).
如前所述,当您的系统受到破坏时,这两个方法都不提供任何附加的“安全”层。我认为支持环境变量的最主要原因之一是版本控制:我看到太多的数据库配置等等意外地存储在版本控制系统中,比如GIT,让其他开发人员都能看到(哎呀!)这件事也发生在我身上……
Not storing your passwords in files makes it impossible for them to be stored in the version control system.
如果不将密码存储在文件中,就不可能将它们存储在版本控制系统中。
#3
32
Anytime you have to store a password, it is insecure. Period. There's no way to store an un-encrypted password securely. Now which of environment variables vs. config files is more "secure" is perhaps debatable. IMHO, if your system is compromised, it doesn't really matter where it's stored, a diligent hacker can track it down.
当你需要存储密码时,它是不安全的。时期。无法安全地存储未加密的密码。现在,环境变量和配置文件中哪个更“安全”可能值得商榷。IMHO,如果你的系统被入侵了,存储在哪里并不重要,一个勤奋的黑客可以追踪它。
#4
18
Sorry I didn't have enough rep to comment, but I also wanted to add that if you're not careful, your shell might capture that password in it's command history as well. So running something like $ pwd=mypassword my_prog
manually isn't as ephemeral as you might have hoped.
对不起,我没有足够的代表进行评论,但我还想补充一点,如果您不小心,您的shell可能也会在它的命令历史中捕获该密码。因此,手动运行$ pwd= mywd密码my_prog之类的东西并不像您希望的那样短暂。