Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

hash database password in config.php??

  • ritapas
  • ritapas's Avatar Topic Author
  • Offline
  • Elite Member
  • Elite Member
More
5 years 1 month ago #180596 by ritapas
Hello,
I'm being asked about our limesurvey mysql db owner's password, which is in clear text in the config.php file.
Is there any way to hide or hash it?
The topic has been locked.
  • LouisGac
  • LouisGac's Avatar
  • Visitor
  • Visitor
5 years 1 month ago #180598 by LouisGac
Replied by LouisGac on topic hash database password in config.php??
where will you store the encryption key of that password?
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 1 month ago #180603 by DenisChenu
Replied by DenisChenu on topic hash database password in config.php??
If you know a FLOSS system where DB password can be set hashed : please give link.

Else : you can set password differently in config.php

Using $_ENV : secure.php.net/manual/fr/reserved.variables.environment.php
Using file_get_content("/var/myconfig/ldpassword.txt")

etc …

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The following user(s) said Thank You: ritapas
The topic has been locked.
  • ritapas
  • ritapas's Avatar Topic Author
  • Offline
  • Elite Member
  • Elite Member
More
5 years 1 month ago #180605 by ritapas
Replied by ritapas on topic hash database password in config.php??
@LouisGac I wish I knew: maybe prompting the root user for it and then storing it in memory? I'm afraid I'm obviously no security expert, I'm just wondering if somebody else has had the same problem and solved it.

@Denis if the example about FLOSS software is related to the fact that it comes "free", you are absolutely right. I wish more people would be able to tell the difference between "free" and "no pay" :(
The only example that comes to my mind is the linux shadow password system!
But, maybe a limesurvey (payed) professional has developed some plugin I could ask to buy, one never knows.

I'll investigate the alternative ways you are showing.
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 1 month ago #180606 by DenisChenu
Replied by DenisChenu on topic hash database password in config.php??

ritapas wrote: @Denis if the example about FLOSS software is related to the fact that it comes "free", you are absolutely right. I wish more people would be able to tell the difference between "free" and "no pay" :(

No,

It's about to have some code sample :) if possible in PHP. Then we can get inspiration or even copy/paste.

About linux shadow password : no, we can‘t use it. We can crypt user password (user have to enter password, and then we test if it same) : we do it for user password like linux box do it for user password.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The following user(s) said Thank You: ritapas
The topic has been locked.
  • ritapas
  • ritapas's Avatar Topic Author
  • Offline
  • Elite Member
  • Elite Member
More
5 years 1 month ago #180609 by ritapas
Replied by ritapas on topic hash database password in config.php??

DenisChenu wrote: No,

It's about to have some code sample :) if possible in PHP. Then we can get inspiration or even copy/paste.

the only example I've found uses Google services and personally I would not like that.
Indeed I think you might already know about this:
deliciousbrains.com/php-encryption-methods/

I like the idea of having an external service, tough, but in our own network.
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 1 month ago #180614 by DenisChenu
Replied by DenisChenu on topic hash database password in config.php??
Using password_hash : done to validate an existing (uncrypted) password is same than a crypted password.
Secret Key Encryption : need the readable private key to decrypt : where did you store this key ?. In config.php , then don't crypt your password …

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
  • holch
  • holch's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 1 month ago #180621 by holch
Replied by holch on topic hash database password in config.php??
While it might seem strange to see the passwort without encryption in the config.php, if someone unauthorized has access to your config.php, then you have far bigger problems than your passport being leaked. This person can do basically anything with your installation anyway, I guess.

I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.

The following user(s) said Thank You: DenisChenu, LouisGac, ritapas
The topic has been locked.
  • ritapas
  • ritapas's Avatar Topic Author
  • Offline
  • Elite Member
  • Elite Member
More
5 years 1 month ago #180647 by ritapas
Replied by ritapas on topic hash database password in config.php??
quite a good point!
The topic has been locked.
More
4 years 7 months ago - 4 years 7 months ago #187722 by JEfromCanada
Replied by JEfromCanada on topic hash database password in config.php??
@holch,

The point you make about unauthorized access is absolutely the most critical issue. But it's a much more pervasive issue than you might imagine. Unless you are self-hosting the survey on your own dedicated server, there will always be people (i.e. the staff at the hosting service you use) that will have access to your data. So, when you choose your hosting company, you are putting your trust in that organization not to invade your privacy; and not to provide hosting to nefarious parties who may try to break into other accounts.
Last edit: 4 years 7 months ago by JEfromCanada. Reason: To identify the post I'm responding to
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose