Password Management at the Application Server

External Module Password Management at the Application Server

  • Do not hardcode secrets (example: passwords, private keys, etc) in source code.
  • Keep secrets in a separate centralized configuration file, that can be referenced by different application modules.  The configuration file should have much restrictive access permissions.  It should not be added to Version Control Programs.  It should not be in the downloadable path of any web application.
  • Keep the configuration file contents encrypted using a separate application password.  The application can decrypt the file on-the-fly to retrieve the secret information and leave the file encrypted after use.
  • If the configuration file contents cannot be encrypted, at least store them in encoded format (Base 16, Base 32, Base 64, etc), so that they cannot be easily memorized.
  • Access to the configuration file should also be logged by the Operating System into a Central log server.

References:

https://security.web.cern.ch/security/recommendations/en/password_alternatives.shtml

http://security.stackexchange.com/questions/15040/standards-for-encrypting-passwords-in-configuration-files

https://ostermiller.org/calc/encode.html

Password Management at the Application Server