How to provide password authentication for an Application UserID?#When using most other connections to services, like LDAP, databases, OAuth 2.0 etc, with an application how can we store the password securely and still be able to obtain the cleartext password to perform required functions?
Basic Approaches #These are Basic Approaches to Application password storage.
- Store a password(s) behind a password - Basically this means that we require you to type in some passphrase as application starts in order to read the accounts.xml file, and, to be truly secure, require you to type it again if you write to it.
- Obscure a password - This means we do something to store the password in some format other than plain text, then the application automatically convert to plaintext (in memory). This is security by obscurity, and is a Very Bad Thing in that it gives application owner a false sense of security that we believe would be worse to have than to let informed users deal with the password issue themselves. Consider that a naive application owner might think that it is safe to share the accounts information, because the passwords are "encrypted".
- Store the password in plain text and control access to the file - This is what is probably best. Store the password in plain text, but the file itself is only readable by application owner.
- Mozilla - Let’s talk about password storage - https://blog.mozilla.org/webdev/2012/06/08/lets-talk-about-password-storage/
- Apache - EncryptedPasswordStorage- https://wiki.apache.org/subversion/EncryptedPasswordStorage
- MonoWall - Why are some passwords stored in plaintext in config.xml? - http://doc.m0n0.ch/handbook/faq-plaintextpass.html