Friday, July 26, 2013

A Note for Code Developers

Today's post is very simple: if you are going to write code, don't embed privileged usernames and passwords in the code. And if you must hard-code a password, for crying out loud, don't store the code with passwords on a public code repository!

https://github.com/search?p=1&q=mysqldump+-p&ref=searchresults&type=Code


Nearly 10,000 examples of code on GitHub with the mysql database password written in cleartext in the code. Many of the code samples show a username of root ... might that also be the root account and password for the system itself?

Sure, many times an application needs to access a database and the end user doesn't need to have an account. But instead of coding the root password into the application, either use a limited account that only has read access, or better yet, handle account management on the server side. If the application runs in the context of a user with appropriate credentials, then there is never a need for the application to login, and thus no need to store usernames and passwords in the source code.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen