Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
By default, the Django database host/user/password are stored in the project settings.py file in plain text.
I can’t seem to think of a better way at the moment, but this seems to be against best practices for password storage. Granted, if an attacker has access to the settings file, then all is probably already lost. Even if the the file were encrypted, the attacker would probably have the means to decrypt it by then.
Is this okay?
You are correct that storing passwords in plaintext and in a settings.py file is not good security. You could increase security by:
Setting the permissions correctly (this will depend on your set up). Ideally only python should be able to read the file.
Storing the file out of the
wwworhtdocsroot. If at this point an attacker still has access to them, you are screwed anyways.For added security, you can encrypt the connection settings using symmetric encryption (eg: AES). Store the key somewhere else. So even if someone managed to access the connection settings, they’d still need to find the key. The main drawback is that now you have to rewrite the connection method.