锘匡豢<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" href="/style.css" type="text/css" /> <script type="text/javascript" src="/jquery.min.js"></script> <title>CERN Computer Security Information</title> <script type="text/javascript"> $(document).ready(function(){ // Menu highlight var path = location.pathname.split("/"); if ( path ) { $('#main_menu a[href*="' + path[1] + '"][class!="noselect"]').addClass('selected'); // path[3] = /security/<xxxxx>/ $('#sidebar ul.sidemenu li[class!="noselect"]:has(a[href$="' + path.reverse()[0] + '"])').addClass('selected'); } // Add icon to external links $('a[id!=logo-img]').filter(function() { return this.hostname && this.hostname !== location.hostname; 聽 }).after(' <img src="/images/external_link.png" alt="external link" title="external link"/>'); }); </script> </head> <body> <div id="wrap"> <div id="top-bg"></div> <!--header --> <div id="header"> <div id="logo-text"> <a id="logo-img" href="https://home.cern/"><img src="/images/CERNLogo2.png" width="59" height="59" style="margin: 10px" alt="CERN Logo"/></a><div id="logo-text-big"><a href="/home/en/index.shtml" title="">CERN Computer Security</a></div> </div> <div id="header-logo"><a href="/services/en/emergency.shtml"><img width=335 src="/images/emergency.png" alt="Computer Emergencies"/></a></div> </div> <!--header ends--> <div id="header-photo"></div> <!-- navigation starts--> <div id="nav"> <ul id="main_menu"> <li><a class="noselect" href="/home/fr/index.shtml"><img src="/images/fr.png" alt="FR"/></a></li> <li><a href="/home/en/index.shtml">Home</a></li> <li><a href="/rules/en/index.shtml">Computing Rules</a></li> <li><a href="/recommendations/en/index.shtml">Recommendations</a></li> <li><a href="/training/en/index.shtml">Training</a></li> <li><a href="/services/en/index.shtml">Services</a></li> <li><a class="secured" href="/reports/en/index.shtml">Reports &amp; Presentations</a></li> </ul> </div> <!-- navigation ends--> <!-- content-wrap starts --> <div id="content-wrap"> <div id="main"> <h2>How to keep secrets secret<br/>(Alternatives to Hardcoding Passwords)</h2> <p>"Hardcoding passwords" is a short name for putting non-encrypted (plain text) passwords and other secret data (like private keys etc.) into the source code. Typical examples could be:</p> <code> ... <br/> private static String passwd = "<b>mYv3rYSECr3tPWD</b>";<br/> ...<br/> db = MySQLdb.connect(host="db.server.com", user="admin", passwd="<b>NOBODYwillEVERguess</b>", db="sales")<br/> ...<br/> String url = "jdbc:mysql://" + serverName + "/access?user=webclient&password=<b>ILoveJuliet</b>";<br/> ...<br/> for i in 01 02 03 04; do ./remove_temp_files.sh --machine=appserv$i --rootpassword="<b>*d3H%sS-W</b>"; done<br/> ...<br/> </code> <p>Although software developers might not realize, in fact their source code is (or becomes) very often publicly available. It might be kept in a Git repository, which is browseable on the Web. Other developers or code maintainers might send out parts of code by e-mail or post in on the Web without being aware that they reveal passwords. Even if source code is kept on a secure file system during development, it will almost certainly be moved around later (maybe some years later), as the team is reorganized, file servers are upgraded etc. - and new locations might not be protected anymore. Compiled program can be easily reverse engineered. And last but not least, passwords should be changed regularly - and changing hardcoded passwords could be a lot of hassle (recompilation of the source code, new release etc.). For all these reasons, software developers should avoid hardcoding secret information (passwords etc.) in the source code.</p> <h4>But what are the alternatives to hardcoding passwords?<br/> What else can developers do?</h4> <p>There isn't one simple solution to this problem, and it has to be solved on case-to-case basis. Below are suggestions of some of the possible solutions:</p> <ul> <li><b>Ask the user for a password:</b> In many cases, it is the user who should know the password, not the program! This is the best solution, if only it can be applied (unfortunately, it won't work for batch scripts, web applications connecting to a database etc.);</li> <li><b>Use already existing credentials:</b> For example: AFS and/or Kerberos tokens are available when a script is executed from acrontab;</li> <li><b>Keep secrets in a separate file:</b> It is much easier to guard a separate config/properties file that is known to contain password(s), than to keep an eye on multiple locations of passwords in source code (that might get refactored etc.). Such file should have very restrictive file permissions, and should not end up in Git or Pastebin etc. Watch out: if it is a web application, make sure that the password file is not just downloadadable by everyone! For Puppet managed devices, use CERN IT's <a href="https://configdocs.web.cern.ch/configdocs/secrets/">"tbag" service</a>;</li> <li><b>Encrypt:</b> If only your program already has/knows a secret (another password, decryption key etc.), you can use it to encrypt (and later decrypt) other secrets information. Libraries providing encryption algorithms like RSA, Rijndael etc. are available for all common programming languages and platforms. Even encrypted, it's better to place the secret data in a separate file (see above);</li> <li><b>Keep secrets in a database:</b> If well protected, database is a good place to safely store passwords. Obviously, it won't work for the passwords that open the database (famous question of what came first, the hen or the egg), so you have to choose another solution;</li> <li><b>Hash users' passwords:</b> If your software stores passwords of your users (clients), keep them hashed instead of in plain text (as described <a href="http://codahale.com/how-to-safely-store-a-password/">here</a>);</li> <li><b>For Puppet managed hosts:</b> Obviously some data of hosts managed via Puppet needs to be secret, but having these managed directly with Puppet master is insufficiently secure. This <a href="https://configdocs.web.cern.ch/configdocs/secrets/">document</a> teaches how to do best.</li> </ul> <p>This list contains the most common workarounds to the hardcoded passwords problem. It is not complete and closed - there is probably a lot of other solutions that might suit some specific cases. Please do not hesitate to e-mail <a href="mailto:Computer.Security@cern.ch">Computer.Security@cern.ch</a> if you have any suggestions or remarks concerning the list.</p> </div> <!-- main ends --> <!-- SIDEBAR --> <!-- sidebar menu starts --> <div id="sidebar"> <h3>For All Users<br/> (Experts or Not)</h3> <ul class="sidemenu"> <li><a href="/recommendations/en/good_practises.shtml">Seven easy good practises</a></li> <li><a href="/recommendations/en/how_to_secure_your_pc.shtml">How to secure your PC or Mac</a></li> <li><a href="/recommendations/en/passwords.shtml">Passwords &amp; toothbrushes</a></li> <li><a href="/recommendations/en/2FA.shtml">Starting with multi-factor authentication</a></li> <li><a href="/recommendations/en/bad_mails.shtml">Bad mails for you:<br/>"Phishing", "SPAM" &amp; fraud</a></li> <li><a href="/recommendations/en/malicious_email.shtml">How to identify malicious e-mails and attachments</a></li> <li><a href="/recommendations/en/how_to_remove_malicious_browser_notifications.shtml">How to remove malicious browser notifications</a></li> <li><a href="/recommendations/en/working_remotely.shtml">Working remotely</a></li> <li><a href="/recommendations/en/connecting_to_cern.shtml">Connecting to CERN</a></li> <li><a href="/recommendations/en/ssh.shtml">Connecting using SSH</a></li> </ul> <h3>For Software Developers</h3> <ul class="sidemenu"> <li>Good programming in <a href="/recommendations/en/program_c.shtml">C/C++</a>, <a href="/recommendations/en/program_java.shtml">Java</a>, <a href="/recommendations/en/program_perl.shtml">Perl</a>, <a href="/recommendations/en/program_php.shtml">PHP</a>, and <a href="/recommendations/en/program_python.shtml">Python</a></li> <li><a href="/recommendations/en/password_alternatives.shtml">How to keep secrets secret<br/> (alternatives to passwords)</a></li> <li><a href="/recommendations/en/checklist_for_coders.shtml">Security checklist</a></li> <li><a href="https://gitlab.docs.cern.ch/docs/Secure%20your%20application/">GitLab CI Security Tools</a></li> <li><a href="/recommendations/en/web_applications.shtml">Securing Web applications</a></li> <li><a href="/recommendations/en/code_tools.shtml">Static code analysis tools</a></li> <li><a href="/recommendations/en/more_on_software.shtml">Further reading</a></li> </ul> <h3>For System Owners</h3> <ul class="sidemenu"> <li><a href="/recommendations/en/rootkits.shtml">Checking for rootkits</a></li> <li><a href="https://twiki.cern.ch/twiki/bin/viewauth/CNIC/WebHome">Securing Control Systems (CNIC)</a></li> <li><a href="/recommendations/en/containers.shtml">Securing Containers & Pods</a></li> <li><a href="/rules/en/baselines.shtml">Security baselines</a></li> <li><a href="http://linux.web.cern.ch/linux/docs/linux_exploit_faq.shtml"> The CERN Linux vulnerability FAQ</a></li> </ul> </div> <!-- sidebar menu ends --> <!-- content-wrap ends--> </div> <!-- footer starts --> <div id="footer-wrap"> <div id="footer-bottom"> &copy; Copyright 2024<strong> <a href="https://cern.ch/security">CERN Computer Security Office</a></strong> <table> <tr> <td id="footer-info-left"> e-mail: <a href="mailto:Computer.Security@cern.ch">Computer.Security@cern.ch</a><br/> Please use the following PGP key to encrypt your messages:<br/> ID: 0x954CE234B4C6ED84<br/> <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/429D60460EBE8006B04CDF02954CE234B4C6ED84">429D 6046 0EBE 8006 B04C DF02 954C E234 B4C6 ED84</a> </td> <td id="footer-info-right"> Phone: +41 22 767 0500<br/> Please listen to the recorded instructions. </td> </tr> </table> </div> </div> <!-- footer ends--> </div> <!-- wrap ends here --> <!--img height=30px src="/home/en/CERNfooter_800.png"--> </body> </html>