数据库凭据是否以纯文本格式存储可以吗？ [英] Is it okay that database credentials are stored in plain text?

问题描述

默认情况下，Django数据库主机/用户/密码以纯文本形式存储在项目settings.py文件中。

By default, the Django database host/user/password are stored in the project settings.py file in plain text.

我似乎没有想到一个更好的方式，但这似乎是反对最佳做法的密码存储。授予，如果攻击者可以访问设置文件，则所有可能已丢失。即使文件被加密，攻击者也许有办法解密它。

I can't seem to think of a better way at the moment, but this seems to be against best practices for password storage. Granted, if an attacker has access to the settings file, then all is probably already lost. Even if the the file were encrypted, the attacker would probably have the means to decrypt it by then.

这是否可以？

推荐答案

你是正确的。但您可以通过以下方式提高安全性：

You are correct. But you can increase security by:

• 正确设置权限（这将取决于您的设置）。

• Setting the permissions correctly (this will depend on your set up). Ideally only python should be able to read the file.

将文件存储在 www htdocs root。

Storing the file out of the www or htdocs root. If at this point an attacker still has access to them, you are screwed anyways.

为了增加安全性，您可以使用对称加密来加密连接设置：AES）。将密钥存储在其他地方。因此，即使有人设法访问连接设置，他们仍然需要找到密钥。主要缺点是现在必须重写连接方法。

For added security, you can encrypt the connection settings using symmetric encryption (eg: AES). Store the key somewhere else. So even if someone managed to access the connection settings, they'd still need to find the key. The main drawback is that now you have to rewrite the connection method.

这篇关于数据库凭据是否以纯文本格式存储可以吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！