Securing database password
Speedy is built to offer RESTful services over database primarily. For that, it must connect to a database, which means that speedy should be handed with the database password. In this article we explain how speedy gets the password and how to secure the password.
speedy offers two ways in which a database password can be provided to it. First, by typing it on the terminal; secondly, by placing the password in a password file, aka .dbpass file. The first mode is quite easy, start speedy with -m=prompt which causes speedy to prompt for the password on the terminal and read it securly.
➜ speedy $ ./speedy -u=scott -s=tiger -m=prompt
speedy # Enter the password for database.
speedy # Press ENTER when done ➜In the second mode, the database password placed into a file with the name .dbpass in plain text. This file must be present in the same directory as that of speedy binary. When speedy starts for the first time, it will encrypt the password and write back into the same file. This ensures that database password is secure, as speedy uses unbreakable AEAD cipher algorithms to secure it. A word of caution is here is, make sure your password is strong by default (i.e. has at least 15+ characters, has numerical characters, has mix of upper and lowercase characters and plenty of special characters [like *-_@#$%^&~!], refrain from using “/” or “\” in your password.
Following such guidance will ensure your database password stays really unbreakable. Below is the sample output of encrypted password placed in the file.
➜ speedy $ cat .dbpass
;;5dd67ec75be874bd272721abcf48bb74c4a9b5739a1d33d44e2f0abc9155c0769b2f18It is recommended that administrators place the .dbpass file just before the start of speedy and it is highly encouraged to use default file mode when possible. The file mode helps with admins placing speedy on crontab or supervisord services.