Secure way to store MySQL/FTP passwords
-
Ok, classic use case. Then how many users are you planning to give access to to your database ?
-
Hi,
maybe this is a help: https://wiki.qt.io/Simple_encryption_with_SimpleCrypt@beecksche said in Secure way to store MySQL/FTP passwords:
Hi,
maybe this is a help: https://wiki.qt.io/Simple_encryption_with_SimpleCryptYea, but I have to add plain password into code anyway.
@SGaist said in Secure way to store MySQL/FTP passwords:
Ok, classic use case. Then how many users are you planning to give access to to your database ?
A few, around 2-3.
-
To reduce the risk you can create a role at your MySQL server with limited access rights, like an ability to use particular database with SELECT queries only (or what is your use-case). And then if password for that role will "leak" - it's still bad, but not the end of the world.
But anyway, I don't see any more secured way rather then hardcoded password inside application binaries. You can use some obfuscation on top. And also instead of storing password in a single string, you can "construct" it with several functions from different strings combining with some calculations to make it harder to discover the initial string during disassembling.
-
To reduce the risk you can create a role at your MySQL server with limited access rights, like an ability to use particular database with SELECT queries only (or what is your use-case). And then if password for that role will "leak" - it's still bad, but not the end of the world.
But anyway, I don't see any more secured way rather then hardcoded password inside application binaries. You can use some obfuscation on top. And also instead of storing password in a single string, you can "construct" it with several functions from different strings combining with some calculations to make it harder to discover the initial string during disassembling.
@veryqtperson said in Secure way to store MySQL/FTP passwords:
To reduce the risk you can create a role at your MySQL server with limited access rights, like an ability to use particular database with SELECT queries only (or what is your use-case). And then if password for that role will "leak" - it's still bad, but not the end of the world.
But anyway, I don't see any more secured way rather then hardcoded password inside application binaries. You can use some obfuscation on top. And also instead of storing password in a single string, you can "construct" it with several functions from different strings combining with some calculations to make it harder to discover the initial string during disassembling.
yes it is option too :)
@SGaist said in Secure way to store MySQL/FTP passwords:
Ok, classic use case. Then how many users are you planning to give access to to your database ?
Do you know something better? I was thinking about API calls, but it is hard to secure (I think).
-
If you are thinking about a REST API, it's currently the trend to shield databases from the rest of the world. It's not that hard to secure. You can implement authentication pretty easily with e.g. Django.
After that, the same constraint applies to your code: you don't want passwords in it. So you can have your user create an account on the service to get their credentials.
-
ok for now I will create MySQL user with limited rights and I will encrypt password using AES-256 and I will save encrypted password into plain text file in Qt resource file, I think this can be quite enough against disassembling (it is not going to be app for download, it is only for some people)
Is possible after compilation open that Qt resource file and see what is inside? Or is it a binary? If it is a binary, its ok, I think :)
Student who loves C/C++
-
ok for now I will create MySQL user with limited rights and I will encrypt password using AES-256 and I will save encrypted password into plain text file in Qt resource file, I think this can be quite enough against disassembling (it is not going to be app for download, it is only for some people)
Is possible after compilation open that Qt resource file and see what is inside? Or is it a binary? If it is a binary, its ok, I think :)
Obfuscation isn't security!
What you should do is what @SGaist wrote - have user credentials that are stored in a secure service somewhere, then ask the service for the database credentials based on the user credentials (over SSL obviously).I will encrypt password using AES-256 and I will save encrypted password into plain text file in Qt resource file, I think this can be quite enough against disassembling (it is not going to be app for download, it is only for some people
This is no different than storing a plain text password. Any debugger can be used as a disassembler and anyone can look up the strings that are stored in the binary, it's really a trivial thing to do.
Or is it a binary? If it is a binary, its ok, I think
Well it's a binary, but that doesn't change a thing. I could retrieve the password in a few minutes from your binary, so again ... obfuscation isn't security!
-
Yes an API of some sort that's running over a secure connection (as mentioned). Also the service itself needs to take care to secure its data, but that's the service's problem to begin with, not your app's.
