Curious whether or not it is a bad idea to create Users with password in db:seeds for development?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Curious whether or not it is a bad idea to create Users with password in db:seeds for development?
It’s generally a bad practice because of the small but certain number of times that they will ‘somehow’ be forgotten about and created in production. So that’s the biggest thing to know and be aware of. Good security is about beig attentive to as many layers and possibilities as possible. It’s never a ‘one thing to look at’ issue.
Caveat given.. I think it’s fairly ok. You really need those users for development and testing. Therefore I recommend doing the following:
Enter a ticket now in your ticket tracking system, that before go-live you will check the production system for such accounts.
even test and dev accounts should have real passwords like BIGmy2+catz, NOT "password", "abc123", "change-me", etc.
consider excluding the seeds file in your source control (e.g. .gitignore for git) so that they aren’t even on the remote server.
consider encrypting the file. and decrypting it "as needed" and then delete the decrypted file immediately after use.
Be careful and cautious when running the
rake db:seedcommand and think carefully about what’s in the current seeds.rb file and where the data will be visisble from e.g. public internet.