On Monday, November 14, 2016 at 9:26:43 AM UTC-8, Matthew Curtice wrote: > > I was wondering if it would be possible to update the connection function > to store the password in memory as encrypted. I work on a team where > paired programming is implemented. In order to keep our passwords > confidential, we store them encrypted in files and taught ruby how to > decrypt them when calling external connections. We have been using this > method for a while, and it has worked well quite well. Today however, I > happened to be debugging an issue which involved inspecting the sequel > connection object, when much to my surprise (and my pairing partner's), > there was my password displayed in plain text in the debugger. > > I understand that the password needs to be stored, as we don't want to > hold the connection open for the entire duration of the script. But it > would be nice if it stored the password as encrypted, and then decrypted it > internally before re-connecting. >
That's just pointless obfuscation as far as I am concerned. Sequel uses a connection pool, and may need the password at any point in the future, so it needs to have access to it. Trying to hide it by encrypting it and then decrypting when needed is pointless, because you'd need to store the decryption key in memory or somewhere else where the process could access it. If you are using PostgreSQL, I'd recommend using a .pgpass file instead of having a password specified directly in the code. Another way to work around your particular problem would be to override #inspect on the password string. Thanks, Jeremy -- You received this message because you are subscribed to the Google Groups "sequel-talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/sequel-talk. For more options, visit https://groups.google.com/d/optout.
