At 08:41 AM 3/2/2003, Peter Bengtsson wrote:
What are the security implications of storing a password in a python product as persistent data?
Well... that depends... mostly on the security auditing done on your custom product. If you display data in response to user requests, your product may be vulnerable to a range of attacks. Among other things, strong input validation should be considered critical if you're storing sensitive data. Another issue your question raises is whether storing the pw in the product means that you're moving away from HTTP authentication. HTTP Basic isn't the tightest thing invented, but it's quite a bit better than sending full passwords over an open wire. Ultimately, every security question must be answered by examining your requirements and analyzing the threat. If a password is compromised, what does the cracker get? Access? Other information? Credit card data? There is no one best security policy... but a good approximation of one is to make do with the least amount of sensitive information possible and to exert the greatest control over that which you do store. Your requirements should guide you as to how critical it is to store this information vs. the greater amount of hardening you need to do to maintain it. HTH, Dylan