[Zope] Storing a password in a python product

Dylan Reinhardt zope@dylanreinhardt.com
Sun, 02 Mar 2003 16:28:38 -0800

At 08:41 AM 3/2/2003, Peter Bengtsson wrote:
>What are the security implications of storing a password in a python 
>product as persistent data?

Well... that depends... mostly on the security auditing done on your custom 
product.  If you display data in response to user requests, your product 
may be vulnerable to a range of attacks.  Among other things, strong input 
validation should be considered critical if you're storing sensitive data.

Another issue your question raises is whether storing the pw in the product 
means that you're moving away from HTTP authentication.  HTTP Basic isn't 
the tightest thing invented, but it's quite a bit better than sending full 
passwords over an open wire.

Ultimately, every security question must be answered by examining your 
requirements and analyzing the threat.  If a password is compromised, what 
does the cracker get?  Access?  Other information?  Credit card data?

There is no one best security policy... but a good approximation of one is 
to make do with the least amount of sensitive information possible and to 
exert the greatest control over that which you do store.  Your requirements 
should guide you as to how critical it is to store this information vs. the 
greater amount of hardening  you need to do to maintain it.