Securing database password
Speedy is built to offer RESTful services over database primarily. For that, it must connect to a database, which means that speedy
should be handed with the database password. In this article we explain how speedy
gets the password and how to secure the password.
speedy
offers two ways in which a database password can be provided to it. First, by typing it on the terminal; secondly, by placing the password in a password file, aka .dbpass
file. The first mode is quite easy, start speedy
with -m=prompt
which causes speedy
to prompt for the password on the terminal and read it securly.
➜ speedy $ ./speedy -u=scott -s=tiger -m=prompt
speedy # Enter the password for database.
speedy # Press ENTER when done ➜
In the second mode, the database password placed into a file with the name .dbpass
in plain text. This file must be present in the same directory as that of speedy
binary. When speedy
starts for the first time, it will encrypt the password and write back into the same file. This ensures that database password is secure, as speedy
uses unbreakable AEAD cipher algorithms to secure it. A word of caution is here is, make sure your password is strong by default (i.e. has at least 15+ characters, has numerical characters, has mix of upper and lowercase characters and plenty of special characters [like *-_@#$%^&~!], refrain from using “/” or “\” in your password.
Following such guidance will ensure your database password stays really unbreakable. Below is the sample output of encrypted password placed in the file.
➜ speedy $ cat .dbpass
;;5dd67ec75be874bd272721abcf48bb74c4a9b5739a1d33d44e2f0abc9155c0769b2f18
It is recommended that administrators place the .dbpass
file just before the start of speedy
and it is highly encouraged to use default file
mode when possible. The file
mode helps with admins
placing speedy
on crontab
or supervisord
services.