Hello to all. Sorry to have answered this late, I've been out for Thanksgiving.
Wow! I didn't know I knew so little about securing servers. :) Thanks so much to all of you for all your answers. I have to agree. I have always thought that keeping the bad guys out should be done by the people that are best supposed to know about it, the network and security guys. I am just a lowly coder. :) My guess is that the thought behind the password encryption request is really to try and make life a bit more difficult to the less skilled inside hackers (read here their own employees). Not long ago I was told by a security expert that over 90% of hack attacks are insider jobs. I'll pass along a link to this discussion to the person in charge. I hope they realize that the password encryption is not the solution to the problems they're trying to prevent. Many thanks to all of you. Pepe On Nov 27, 1:40 pm, "Jean-Marc (M2i3.com)" <[EMAIL PROTECTED]> wrote: > Funny this would end up on a discussion on Rails. > > We have clients on other products asking to encrypt the passwords and > encrypt this and that (funny also they are gov. bodies too). > > The explanation about securing the server and restricting access to > the file did not resolve the question. > > What did resolve the question was: > > - encryption the information with the private portion of a PPK (public/ > private key). > - use a smartcard installed on the server with the public portion of > the PPK > > This approach does not resolve physical access to the computer but it > does limit the accessibility to the data. It does not resolve the > following: > > 1. the party takes control of the machine where the smartcard is > connected (if you can control the machine it is very likely you can > access the information on the smartcard). > 2. your facility is invaded and the smartcard is stolen. > > -------- > > Personally I think there is way too much attention given to encryption > as a mean to secure stored information... you always need to provide a > mean to retrieve it which makes it insecure if that mean is > compromised. > > My personal preference on that level is to: > > 1. ensure is visible only to users who should see it (can be done with > file/network security... no need for encryption there). > 2. ensure that the file is access only by processes/users who are > authorized to view that information (can be done with monitoring tools > to trigger an alert.... if your machine or file has been compromised > you got bigger problems than a single password in a file). > 3. frequently change the credential information (this will reduce the > value of the information it is compromised) > 4. monitor the services (i.e. database, web, file system, connections) > and look for suspicious activity > > Lastly, it is important to keep in mind that security is a question of > layers... the more you have the better chances you have of not being > compromised... > > Jean-Marchttp://m2i3.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
