- Posts: 212
- Thank you received: 38
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
hash database password in config.php??
- ritapas
- Topic Author
- Offline
- Elite Member
Less
More
5 years 1 month ago #180596
by ritapas
hash database password in config.php?? was created by ritapas
Hello,
I'm being asked about our limesurvey mysql db owner's password, which is in clear text in the config.php file.
Is there any way to hide or hash it?
I'm being asked about our limesurvey mysql db owner's password, which is in clear text in the config.php file.
Is there any way to hide or hash it?
The topic has been locked.
- LouisGac
- Visitor
5 years 1 month ago #180598
by LouisGac
Replied by LouisGac on topic hash database password in config.php??
where will you store the encryption key of that password?
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13935
- Thank you received: 2551
5 years 1 month ago #180603
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic hash database password in config.php??
If you know a FLOSS system where DB password can be set hashed : please give link.
Else : you can set password differently in config.php
Using $_ENV : secure.php.net/manual/fr/reserved.variables.environment.php
Using file_get_content("/var/myconfig/ldpassword.txt")
etc …
Else : you can set password differently in config.php
Using $_ENV : secure.php.net/manual/fr/reserved.variables.environment.php
Using file_get_content("/var/myconfig/ldpassword.txt")
etc …
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The following user(s) said Thank You: ritapas
The topic has been locked.
- ritapas
- Topic Author
- Offline
- Elite Member
Less
More
- Posts: 212
- Thank you received: 38
5 years 1 month ago #180605
by ritapas
Replied by ritapas on topic hash database password in config.php??
@LouisGac I wish I knew: maybe prompting the root user for it and then storing it in memory? I'm afraid I'm obviously no security expert, I'm just wondering if somebody else has had the same problem and solved it.
@Denis if the example about FLOSS software is related to the fact that it comes "free", you are absolutely right. I wish more people would be able to tell the difference between "free" and "no pay"
The only example that comes to my mind is the linux shadow password system!
But, maybe a limesurvey (payed) professional has developed some plugin I could ask to buy, one never knows.
I'll investigate the alternative ways you are showing.
@Denis if the example about FLOSS software is related to the fact that it comes "free", you are absolutely right. I wish more people would be able to tell the difference between "free" and "no pay"
The only example that comes to my mind is the linux shadow password system!
But, maybe a limesurvey (payed) professional has developed some plugin I could ask to buy, one never knows.
I'll investigate the alternative ways you are showing.
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13935
- Thank you received: 2551
5 years 1 month ago #180606
by DenisChenu
It's about to have some code sample if possible in PHP. Then we can get inspiration or even copy/paste.
About linux shadow password : no, we can‘t use it. We can crypt user password (user have to enter password, and then we test if it same) : we do it for user password like linux box do it for user password.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic hash database password in config.php??
No,ritapas wrote: @Denis if the example about FLOSS software is related to the fact that it comes "free", you are absolutely right. I wish more people would be able to tell the difference between "free" and "no pay"
It's about to have some code sample if possible in PHP. Then we can get inspiration or even copy/paste.
About linux shadow password : no, we can‘t use it. We can crypt user password (user have to enter password, and then we test if it same) : we do it for user password like linux box do it for user password.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The following user(s) said Thank You: ritapas
The topic has been locked.
- ritapas
- Topic Author
- Offline
- Elite Member
Less
More
- Posts: 212
- Thank you received: 38
5 years 1 month ago #180609
by ritapas
Indeed I think you might already know about this:
deliciousbrains.com/php-encryption-methods/
I like the idea of having an external service, tough, but in our own network.
Replied by ritapas on topic hash database password in config.php??
the only example I've found uses Google services and personally I would not like that.DenisChenu wrote: No,
It's about to have some code sample if possible in PHP. Then we can get inspiration or even copy/paste.
Indeed I think you might already know about this:
deliciousbrains.com/php-encryption-methods/
I like the idea of having an external service, tough, but in our own network.
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13935
- Thank you received: 2551
5 years 1 month ago #180614
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic hash database password in config.php??
Using password_hash : done to validate an existing (uncrypted) password is same than a crypted password.
Secret Key Encryption : need the readable private key to decrypt : where did you store this key ?. In config.php , then don't crypt your password …
Secret Key Encryption : need the readable private key to decrypt : where did you store this key ?. In config.php , then don't crypt your password …
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
- holch
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 11756
- Thank you received: 2753
5 years 1 month ago #180621
by holch
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
Replied by holch on topic hash database password in config.php??
While it might seem strange to see the passwort without encryption in the config.php, if someone unauthorized has access to your config.php, then you have far bigger problems than your passport being leaked. This person can do basically anything with your installation anyway, I guess.
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
The following user(s) said Thank You: DenisChenu, LouisGac, ritapas
The topic has been locked.
- ritapas
- Topic Author
- Offline
- Elite Member
Less
More
- Posts: 212
- Thank you received: 38
5 years 1 month ago #180647
by ritapas
Replied by ritapas on topic hash database password in config.php??
quite a good point!
The topic has been locked.
- JEfromCanada
- Offline
- Senior Member
Less
More
- Posts: 44
- Thank you received: 3
4 years 7 months ago - 4 years 7 months ago #187722
by JEfromCanada
Replied by JEfromCanada on topic hash database password in config.php??
@holch,
The point you make about unauthorized access is absolutely the most critical issue. But it's a much more pervasive issue than you might imagine. Unless you are self-hosting the survey on your own dedicated server, there will always be people (i.e. the staff at the hosting service you use) that will have access to your data. So, when you choose your hosting company, you are putting your trust in that organization not to invade your privacy; and not to provide hosting to nefarious parties who may try to break into other accounts.
The point you make about unauthorized access is absolutely the most critical issue. But it's a much more pervasive issue than you might imagine. Unless you are self-hosting the survey on your own dedicated server, there will always be people (i.e. the staff at the hosting service you use) that will have access to your data. So, when you choose your hosting company, you are putting your trust in that organization not to invade your privacy; and not to provide hosting to nefarious parties who may try to break into other accounts.
Last edit: 4 years 7 months ago by JEfromCanada. Reason: To identify the post I'm responding to
The topic has been locked.