Tell me more ×
Programmers Stack Exchange is a question and answer site for professional programmers interested in conceptual questions about software development. It's 100% free, no registration required.
up vote 7 down vote favorite
1

Let's say an application I'm writing requires a password for something but I don't want that password to be saved in version control (so no hard-coding the password). What I've been doing is creating a file called PASSWORD which is read in once by the application and ignored by version control. Is there a more preferential method to handle this situation?

share|improve this question
1  
Typically a configuration xml or .properties file can be used. You can even store an encrypt password if you prefer. While a previous company I worked for used Windows registry this made it a headache to install different versions on the same machine. – Asaf Apr 24 at 20:03

2 Answers

up vote 1 down vote accepted

This is a perennial problem. At some point, when software needs to access something protected by a password, the software needs that password. And for the software to get that password, and not require a user to enter it manually, it has to be stored in persistent storage of some sort. I see several options:

  1. Use a hand-created (or copied) password file, ignored by the version control system, and perhaps with limited readability (just the owner (0400 on Unix), for example). I do this myself sometimes these days.

  2. Encrypt the password file somehow. Technically, this doesn't actually solve the problem, as the decryption key needs to be stored somewhere, too, but it means that the password is no longer stored in cleartext. The decryption key could be baked into the software that reads the encrypted password file, and an encryption key baked into a small utility that generates encrypted password files. This might be pretty good. I did this in earlier days when I was more paranoid.

  3. Use a pre-shared key mechanism similar to what people do to ssh to remote machines without needing a password. This might be harder to set up, but can be elegant.

share|improve this answer
up vote 2 down vote

For Windows applications, there is the registry or various config files,e.g. app.config or web.config, that could be used to store this kind of data. AppSettings is the collection used within Windows code to access the config file in .Net for example.

I'd suspect there are similar files and locations on systems using other operating systems for where this information would be stored.

While you may disagree about storing a web.config in version control, I have had more than a few times where a developer got upset that I committed the "web.config" and thus at times it is worth considering what is the code and what is configuration that administrators can handle. If you have a better solution, why aren't you posting it?

share|improve this answer
1  
-1. The question is specifically about storing sensitive data which shouldn't get its way in version control. Advising to use web.config is somehow strange: either you skipped the "no version control" part, or you suggest not to store web.config in version control, which is a terrible advice. – MainMa Apr 24 at 20:19
1  
+1 Lots of Windows applications require the user to modify the whatever.config file. It's a perfectly normal operation, in that environment. – Ross Patterson Apr 24 at 22:09

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.