[Discuss] Passwords in Source Code?? Or, How to secure interprocess communications?
Kent Borg
kentborg at borg.org
Sat Jan 31 18:49:42 EST 2015
On 01/31/2015 06:30 PM, Gordon Marx wrote:
> None of that matters.
Huh?
> Code goes in version control. Secrets that you want to keep secret don't. Therefore, you can't put secrets into your code.
Yes, that's why I brought up the question. We agree.
> Write the username and password into a configuration file,
That is my current approach.
> get the username and password from the environment, or use a non-password auth mechanism like an SSL certificate.
Even more non-standard, make up a new one every time the OS boots, set
the postgres password then, too.
Because this is only used to communicate within the machine, no one else
cares whether it changes. A file with narrow permissions is safer than
trusting "localhost" restrictions.
-kb
More information about the Discuss
mailing list