Is using system properties to store passwords not secure?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2020 07:48 AM
While doing some compliance work, I noticed that i could log in scripts background the actual value of system properties of type password or password type2. I was not able to log data source[sys_data_source]] passwords or auth profile[sys_auth_profile_basic] passwords.
If you have many applications that require passwords being stored somewhere; what is best practice? Is it against best practice to store passwords in system properties?
Thanks for any help, code for scripts background included below:
gr = new GlideRecord('sys_properties');
var grOR = gr.addQuery('type', 'password');
grOR.addOrCondition('type', 'password2');
gr.query();
while (gr.next()) {
gs.info('property type: ' + gr.type + ' ' + gs.getProperty(gr.name.toString())); //type is password or password2, gs.info prints the actual password in scripts background
}
r = new GlideRecord('sys_data_source');
gr.addNotNullQuery('jdbc_password');
r.query();
while (r.next()) {
gs.info(r.jdbc_password); //password field here is "internal type Password (2 way encrypted) -- These appear encrypted when gs.info'd.
}
z = new GlideRecord('sys_auth_profile_basic');
z.query();
while (z.next()) {
gs.info(z.name.toString() + z.password); //password field here is "internal type Password (2 way encrypted) -- These appear encrypted.
}
- Labels:
-
Platform and Cloud Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2020 07:59 AM
It's fine for non critical password storage since only admins have access to it but if you're looking to store user passwords I would look into a plugin of some kind to handle this process.
See:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2020 08:06 AM
Thanks for reply. Could you accomplish the same thing as safe space by just creating a custom password table and use the same type of field that sys_data_source and sys_auth_profile_basic use?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2020 08:07 AM
You should encrypt your password before storing in sys_properties records.
When you need, you can decrypt password for better security.
Regards,
Sachin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2020 08:27 AM
How do you do that?
