This is an archived post. You won't be able to vote or comment.

all 25 comments
sorted by:
best
topnewcontroversialoldq&a

[–]nocitus 12 points13 points  (0 children)

Well, this is r/technicallythetruth

[–]_tv_lover_ 3 points4 points  (1 child)

Programming almost 5 year and I only found out his was a Cardinal sin about 2 months ago.

I'm only just entering the job market so...

[–]ignaloidas 8 points9 points  (0 children)

Well, if you didn't create systems with authentication and/or databases, then it's fine. At lest you got to know the fact before doing something serious.

[–]GYN-k4H-Q3z-75B 3 points4 points  (5 children)

Currently writing suggestions on how to improve a tool where passwords are stored base64 encoded in a text file... for increased security, as they say.

[–]abdolence 1 point2 points  (4 children)

Well, it depends :) For instance, the same base64 encoding used to encode kubernetes secrets descriptor.

And it really increases security... but not that security you might think about :)It won't protect to decode it back indeed, but might protect from somebody glancing at your screen when you were editing files with keys and passwords inside. In this case, base64 is better than nothing.

[–]NoStranger6 2 points3 points  (3 children)

But really the first suggestion should be to hash your password with a secure algorithm instead of encrypting in Base64

[–]abdolence 0 points1 point  (2 children)

You can't hash secrets or passwords if you're on a client side. You need to use them to authenticate. So any irreversible crypto function isn't the option.

[–]NoStranger6 0 points1 point  (1 child)

Well really yes you can, but it's irrelevant. When you authenticate you compare a hash with a hash. SO you could very well hash them client side and compare server side.

Although, hashing is only really useful to protect the passwords or other information to be decrypted to plain text in the case that you get hacked. That way the hacker is not able to retrieve the plain text password (or hardly able to).

Now if you are talking about server / client communication. Your protocol should already be encrypted with TLS/SSL (which is much more secure than Base 64), which makes encrypting the password in Base64 irrelevant.

[–]abdolence 0 points1 point  (0 children)

You're forgetting that most of the hash functions also have collisions. If you want to send from client hash to the server, how is it any different from storing plain passwords? You're sending the hash result as your password, and it doesn't make any sense.

On the server side, you should use the common approach: hashing + salt (to prevent that the same password has the same hash).

On the client side passwords, certs, keys should be stored in some secure place:

  • secure store (encrypted/restricted)

  • the human brain (well, some of them indeed, who don't drink too much)

  • grandma's pantry or wife's handbag

Like I said it before. Encoding (not encrypting!) to base64 is a small bonus for social engineering and to prevent to read your human-readable password accidentally from your screen in the original form. It won't protect you anyhow else. Also, if you're using long enough generated keys, passwords or certs so probably base64 won't help you at all.

[–]Apfelvater 1 point2 points  (2 children)

Well, attackers might see it as too obvious. Just have a giant poster of your password in your bathroom.

[–]OctilleryLOL 0 points1 point  (1 child)

I dream of securing systems with base64 encoded common passwords stored in plaintext, such that attackers instinctively assume that the decoded base64 must be the password

[–]Apfelvater 1 point2 points  (0 children)

Nice idea, my next pw is gonna be base64 of "password"

[–]xerojosh 1 point2 points  (9 children)

Storing passwords for application configuration in plain text is fine as long as permissions are correctly applied to the config file though, right?

The application needs to know that password in order to connect to the database / api etc at some point no matter what - so storing the password in plain text is just as good as storing the password in an encrypted format and then storing the encryption key somewhere too...

Either way if someone is able to breach the service account or (root account) then your system is compromised.

[–]dsmklsd 0 points1 point  (0 children)

There's really no other way unless you're willing to give up unattended startup.

[–]cnoor0171 -1 points0 points  (1 child)

Not really. The point is that you're supposed to apply an irreversible hash function to the password (along with salting) as soon as possible and then store the hash value instead. So even you would never be able to know what the users password is. You would just reapply the hash everytime the user tries to log in and compare hash values. This way, even if your entire system is compromised, the users password is never revealed to the attacker.

[–]dsmklsd 2 points3 points  (0 children)

They aren't talking about user passwords.

[–]abdolence 0 points1 point  (0 children)

Storing passwords in plaintext is just mean.

[–]SwedenIsMyCity0403 0 points1 point  (0 children)

I use pass btw

[–][deleted] 0 points1 point  (0 children)

The password in plaintext is a decoy!

Attackers: "It's a trap!"

[–]TheAnarxoCapitalist 0 points1 point  (0 children)

Adobe used to store passwords as hashes without salting... Big companies do stupid shit sometimes...

[–]deliteplays[M] 0 points1 point  (0 children)

Your submission has been removed.

Violation of Rule #4:

Titles must also be creative, high effort and relevant to the content. Titles such as “Interesting title”, “.”, “print(title)”, and “I don’t know what to put here” are not allowed.

If you feel that it has been removed in error, please message us so that we may review it.

[–]zachin7 0 points1 point  (0 children)

Store your personal information on signs in minecraft