February 24, 2010

Hiding Passwords – Security by Obscurity

Filed under: Connectivity — redoblog @ 9:00 pm

I’ve written quite a lot of scripts over the last twenty years and have always tried to secure my database usernames and passwords. I’ve made use of directories with 0400 and 0440 permissions, making the directories only readable by a certain group. Then I’d add the group id to the “run as” user of my script. I’ve gone a little further as well and tried to hide my passwords by obscurity, doing things such as making my files “.passwords” (well, not that name, but I need to be careful how much I give away, after all, this is a blog!).

So if for example I create a file called “/home/ahbaidg/.hidden/.passwords” the file’s contents would look like this:

# File: .passwords
# Notes: Comments cause lines to be ignored
# APPID – is an application identifier
# DBNAME – is the TNS Names entry to connect to the database
# DBUSER – is the username to connect with
# DBPASS – is the password to use
# Billing App entries for my read only reporting user against PRODDB database
# Reservation App entries for my read only user against RESERVS database

I’d protect the file from world readability and use “chmod 0400 .passwords” so only my app could read it.

Then in my shell scripts I’d grep through the file and use awk to parse it like so:

export ACCOUNTS=/home/ahbaidg/.hidden/.passwords

DBNAME=`cat $ACCOUNTS | grep -v ^# | grep ^$MYAPP | awk -F: '{print $2}'`
DBUSER=`cat $ACCOUNTS | grep -v ^# | grep ^$MYAPP | awk -F: '{print $3}'`
DBPASS=`cat $ACCOUNTS | grep -v ^# | grep ^$MYAPP | awk -F: '{print $4}'`

The remainder of the script would then connect to the database doing something like:

echo $DBPASS | sqlplus-s -R 3 -L $DBUSER@$DBNAME

The password is in a readable file and can eventually be read if someone had the right privileges on the host. My approach was to hide the password by obscuring it. With sufficient privileges, the password is in plain text and remains readable. How can this be made more secure? One way is to use an Oracle Wallet. A wallet can be distributed to users without sharing the user password and at the same time storing the passwords in an encrypted store.

In my next post I’ll go into how to setup an Oracle Wallet.

Stay Tuned!


1 Comment »

  1. […] 19-How to hide (obsecure) your passwords in shell scripts ? (recommended) Ahbaid Gaffoor-Hiding Passwords – Security By Obscurity […]

    Pingback by Blogroll Report 19/02/2010 – 26/02/2010 « Coskan’s Approach to Oracle — March 20, 2010 @ 8:30 pm

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog at

%d bloggers like this: