[Zope] Storing a password in a python product
Dylan Reinhardt
zope@dylanreinhardt.com
Sun, 02 Mar 2003 16:28:38 -0800
At 08:41 AM 3/2/2003, Peter Bengtsson wrote:
>What are the security implications of storing a password in a python
>product as persistent data?
Well... that depends... mostly on the security auditing done on your custom
product. If you display data in response to user requests, your product
may be vulnerable to a range of attacks. Among other things, strong input
validation should be considered critical if you're storing sensitive data.
Another issue your question raises is whether storing the pw in the product
means that you're moving away from HTTP authentication. HTTP Basic isn't
the tightest thing invented, but it's quite a bit better than sending full
passwords over an open wire.
Ultimately, every security question must be answered by examining your
requirements and analyzing the threat. If a password is compromised, what
does the cracker get? Access? Other information? Credit card data?
There is no one best security policy... but a good approximation of one is
to make do with the least amount of sensitive information possible and to
exert the greatest control over that which you do store. Your requirements
should guide you as to how critical it is to store this information vs. the
greater amount of hardening you need to do to maintain it.
HTH,
Dylan