Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Is using system properties to store passwords not secure?

phillipkeigley
Kilo Expert

‎10-02-2020 07:48 AM

While doing some compliance work, I noticed that i could log in scripts background the actual value of system properties of type password or password type2.  I was not able to log data source[sys_data_source]] passwords or auth profile[sys_auth_profile_basic] passwords.  

If you have many applications that require passwords being stored somewhere; what is best practice?  Is it against best practice to store passwords in system properties?  

Thanks for any help, code for scripts background included below:

 

gr = new GlideRecord('sys_properties');
var grOR = gr.addQuery('type', 'password');
grOR.addOrCondition('type', 'password2');
gr.query();
while (gr.next()) {
	gs.info('property type: ' + gr.type + '  ' + gs.getProperty(gr.name.toString())); //type is password or password2, gs.info prints the actual password in scripts background
}

r = new GlideRecord('sys_data_source');
gr.addNotNullQuery('jdbc_password');
r.query();
while (r.next()) {
	gs.info(r.jdbc_password); //password field here is "internal type Password (2 way encrypted)  -- These appear encrypted when gs.info'd.
}

z = new GlideRecord('sys_auth_profile_basic');
z.query();
while (z.next()) {
	gs.info(z.name.toString() + z.password); //password field here is "internal type Password (2 way encrypted)  -- These appear encrypted.
}

 

Labels:
0 Helpfuls
  • 4,055 Views
7 REPLIES 7

ServiceNowSteve
Giga Guru

‎10-02-2020 07:59 AM

It's fine for non critical password storage since only admins have access to it but if you're looking to store user passwords I would look into a plugin of some kind to handle this process.

 See:

SafeSpace

0 Helpfuls

phillipkeigley
Kilo Expert
In response to ServiceNowSteve

‎10-02-2020 08:06 AM

Thanks for reply.  Could you accomplish the same thing as safe space by just creating a custom password table and use the same type of field that sys_data_source and sys_auth_profile_basic use?  

0 Helpfuls

sachin_namjoshi
Kilo Patron
Kilo Patron
In response to phillipkeigley

‎10-02-2020 08:07 AM

You should encrypt your password before storing in sys_properties records.

When you need, you can decrypt password for better security.

 

Regards,

Sachin

0 Helpfuls

phillipkeigley
Kilo Expert
In response to sachin_namjoshi

‎10-02-2020 08:27 AM

How do you do that? 

0 Helpfuls