[Discuss] securing API passwords

[Rich Braun]

> Postgres has the ability to do passwords, so do I just put a password in my program source? Set Postgres to only accept local connections, and hope for the best? 

The config-management systems do this with encryption: take a look at Chef (encrypted data bags) and Ansible (ansible-vault). I've used each of these, and I've also rolled my own with files stored under cryptsetup and TrueCrypt.

You /can/ store the passwords/keys with your code but not in plain text. Keep your encryption keys in a place separate from your code, and protect them with 2-factor auth (a keyfile and a memorized passphrase, read up on ssh-keygen for a simple example of what I mean).

If you're really paranoid, also add Google Authenticator on top of that.

Just remember: keep those plain-text passwords off the network and out of your code base.

-rich