All geek questions in one place

How to protect plain text password in my script? (Ruby)

in my ruby ​​script I need to pass the username and

  • password in plain text on the login form. Both the username and password are currently stored in my script.

  • I have no control on the server I'm logging into from the script. the script is working fine and in the future I want to switch to

  • web hosting provider and run it from there (I have ssh access)

  • using cron . Is there a way / method like

  • protect password if anyone accidentally accesses this script?

+4
source share
4 answers

The more I think about it, the more I think you should trust your hosting. I would make sure that the hosting has a “skin in the game”: That is, they have enough “profiles” that are considered unreliable, it would be very expensive for them (in lost accounts and sales).

And regardless of whether you think the hosting service is trustworthy, you should have a plan if the target account is compromised. Who you will notify, how you can disable this account, etc.

The only technological solution I can think of is that you log in manually, grab the cookie and provide this cookie script - it protects the password, but the supposedly hostile host can use this cookie for any damage it wanted on the target system using any privileges attached to this cookie, including changing the password. So this is not a solution at all.

Oh, talking about privileges: can a task that you need to automate perform with a target account that has reduced privileges, such as a read-only account, or one that cannot make any changes to its profile? Having only your credentials with a low privilege in the hosting service will reduce your risk (or "exposure" as the polysyllabic crowd likes it).

The previous answer, which turned out to be inoperative, is below the line.

You can encrypt the user ID and password using another password. To run the script, its password must be provided. It uses this password to decrypt the web service username and password. Make sure that the script password is not stored anywhere, but only stored in memory and long enough to decrypt the final user ID and password.

If this is really important, make sure that your connection to run the script is crypto (ssh, ssl, etc.) and make sure that the script uses only https to log in.

This does not make you invulnerable to someone with root privileges in the field (at some point, the user ID and the plaintext password will be in memory and therefore vulnerable), but it does more work for them to get the user ID / password.

Updated: Requiring this to be automated makes the above solution not good.

+1
source

If an automatic script needs to run something with a password, then you either need to read it using a script (which makes it possible for someone else to read it), or not provide it to automation.

The trick is to get around the Automation part by running it once: run the script as a small, continuous process that will periodically wake up and run. Ask the process to request a password at startup or through some other API request (and not on the command line!).

If the server restarts, the password will be lost before entering the system and re-enter the password. Thus, the password is only in memory, not in the file system.

You may need a cron job to check the process and alert you if it is not running.

+1
source

If you need to pass the password into a form that you probably cannot change in order to use a more secure scheme, you can do a bit, in addition to confusing the password so that it does not immediately become obvious. However, anyone who has access to the script itself can simply find where it is submitted to the form and insert the command to print the password there - it must be "decrypted" at this point so that you can pass it on, there is no question what .

To protect it from non-programmers, you could XOR it with something or rotate the letters by some amount, but I would not spend too much time on this, since it will be useless against almost anyone who has a rudimentary understanding programming. Instead, protect the script from other users (set the file permissions correctly, do not put them in a directory visible on the Internet, etc.). And if you do not trust the administration of the server, do not upload it there!

+1
source

You must save the hashed version of the password in your database. A hash is one-way encryption, so it is impossible to use logic to guess a password from a hashed password.

Create a method for hashing the password and do the following:

require "digest/sha1" class User attr_accessor :password def initialize(password) @password = hash_password(password) end def hash_password(password) Digest::SHA1.hexdigest(password) end def valid_password?(password) @password == hash_password(password) end end u = User.new("12345") p u.password # => "8cb2237d0679ca88db6464eac60da96345513964" p u.valid_password?("not valid") # => false p u.valid_password?("12345") # => true

When you get the text password from the form, do you pass it to your valid_password? method valid_password? . This will do one-way encryption, as it was when saving the password. Thus, one-way encrypted passwords are compared. This means that you never keep the link to the actual password anywhere, which is a big win.

0
source

Source: https://habr.com/ru/post/1301240/

More articles: