1

So, my company uses a Bitbucket Cloud for SCM, and I use ScourceTree on my laptop workstation. I am working on a code project that was originally written mostly by someone else and currently the software that I'm working on uses a plain-text config file to pass in username and password information to the program to use to connect to the services it needs.

Now, I'm no stranger to the fact that this is a very bad thing, but I have yet to get around to fixing this as a solo developer. (Although it is definitely a high priority).

I wanted to commit changes to the config file today, but I was hesitant, as I was working on an unsecured network at a cafe. This got me wondering: How secure are most of these cloud-based code services (ie. Bitbucket/Github) and how dangerous is it to commit code like this on a public network?

I have the awesome ability to work remotely and do not wish to risk my job by exposing my company to unnecessary risk.

Since I know that plain text passwords tend to be a bad idea, I was also wondering how I should go about fixing this issue. The app I'm working on uses java, and the passwords are in a properties file. Is there a java library or utility I should know about (still a bit new to java).

I was hoping that this could be a general answering point for beginners concerned with how to deal with passwords securely in code (of any language). I work in C++ and PHP alot also, so I would really appreciate advise on how to handle such things in those languages as well. Don't need extreme specifics, just keywords to search. Are they libraries, or utilities built into the languages?

Edit: I am aware that this SO question explains a good method of handling my situation in Java, but a) the question about network security between Bitbucket/Github and SourceTree is different and b) I was asking for more information about general best practices across languages, rather that JUST specifics about java (although the link provided was quite helpful at addressing the Java-specific case).

Community
  • 1
  • 1
Brandon S.
  • 306
  • 1
  • 4
  • 14
  • Public or private network, keeping passwords in text files is a bad idea. – Amit Bhati Feb 02 '17 at 21:38
  • Why are the passwords kept in source control? Plain-text passwords are actually not a bad idea _per se_, but exposing them to everyone who can access your SCM is. The question seems a bit too broad because you don't give any information about the application in question. – Mick Mnemonic Feb 02 '17 at 21:40
  • The answer to that with question is simply: Because I work for a small company with only 1 solo dev at a time, and the guy before me set it up that way. I like the idea of having the passwords in a separate (non-scm) file as suggested by @Mike Nakis. But I'm actually in the process of trying to overhaul this software, and I think I'll actually add user authentication to the software in general, so my current situation should become non-issue. I am simply wondering these things for future reference. – Brandon S. Feb 02 '17 at 21:43
  • Do the username/password you store for services, those services allow /ssh authentication. Also, would using a VPN connection solve your problem –  Feb 02 '17 at 21:46
  • I believe so. The services that It uses are MySQL and google's SMTP server. I'm confident that MySQL allows SSH authentication, but not sure about google SMTP. – Brandon S. Feb 02 '17 at 21:50

2 Answers2

1

What a coincidence, we were just dealing with a similar situation at work. The way we decided to solve it is by having the code fetch passwords from an external plaintext password file which is not committed. (Add it to .gitignore or better yet move it out of the source tree.) Whoever wants to use the code and is trusted enough to have the passwords will need to obtain this file through means other than git.

If you want a place to securely store passwords, there is keepass, with builds for windows and linux, and some derivatives of it. It maintains a list of logins and for each entry in the list there is a "copy password to clipboard" option. It even wipes the password from the clipboard a minute later. But then the passwords stored in there are not accessible from code.

Mike Nakis
  • 56,297
  • 11
  • 110
  • 142
0

  1. Regarding the network issue, use a VPN.

  2. As for passwords, it has long been common practice not to store the actual passwords ANYWHERE. Store a table of username/password-hash. When the password is first created, hash it and store the hash. When the user logs in and enters their password, hash that, and compare it to the stored hash. This has been common practice for decades.

Randy Leberknight
  • 1,363
  • 9
  • 17
  • I note that the SO question referenced above talks a lot about encrypting passwords, and then worrying about storing the decryption key. If you just do a one-way hash, then you don't have to encrypt and decrypt. Then the software you are writing doesn't even have the ability to produce the passwords in plaintext, and therefore can't be hacked to do that. – Randy Leberknight Feb 02 '17 at 23:38
  • 2
    OP mentions that the password is needed "to connect to the services it needs", so the actual password instead of a hash needs to be accessible to the application. – Mick Mnemonic Feb 03 '17 at 00:48
  • Ah, I missed that. – Randy Leberknight Feb 03 '17 at 00:52
  • Could someone please clarify point 1. Not exactly sure I know what you mean by that. I'm using Bitbucket cloud, so connecting to my company's VPN doesn't really help very much, as the commits are going directly to the local gateway (and not through the company network). – Brandon S. Feb 03 '17 at 20:50