[ANSWERED] Is it safe to keep this password in plain text?

15goudreau · 2015-01-20 16:54:13

Hi Guys,

I'm looking into configuring a free dns service (freedns.afraid.org to be specific) and in it's .conf file to check what the IP is, it needs my account and password information owned by root. The examples is as follows

sudo nano /etc/inadyn.conf

--username techhome
--password mypassword
--update_period 3600
--forced_update_period 14400
--alias techhome.homenet.org,alphanumeric key
--background
--dyndns_system default@freedns.afraid.org
--syslog

I've been looking into salting and hashing passwords but I can't find a good guide on how to store "mypassword" in plain text as opposed to a hash+salt. I'm wondering if this really is even an issue as the file is owned by root and so anyone who tries to access it shouldn't be able to do anything with it anyways correct? Thanks for reading!

Last edited by 15goudreau (2015-01-20 21:51:17)

drcouzelis · 2015-01-20 17:01:12

Most likely no one will ever get your password. If someone does get your password, what is the worst damage they can do? Point your domain name to a different web server?

I personally don't think that's big enough damage to worry about it.

15goudreau · 2015-01-20 17:15:47

Thanks for the reply drcouzelis!

That's kind of what I was figuring from my point of view.

Onto a follow up question. If it was important to salt+hash the password, how would I pass that through the .conf. I'm more curious than anything. And I couldn't really figure out what question to type into google to find the answer on my own. Thanks!

drcouzelis · 2015-01-20 18:09:38

My search for "linux safe to store passwords as plain text" came up with this very relevant thread:

http://stackoverflow.com/questions/2664 … plain-text

Summary: No, encrypting the password is not effective. The application needs to be able to access the password by itself, which means whatever method it uses to automatically decrypt a password will also be available to anyone else.

ewaller · 2015-01-20 18:10:12

That particular site does not use passwords. It uses authorization tokens that you obtain from the site's webpage. The token becomes part of the URL that is passed into the DNS update request.
Take a look at https://freedns.afraid.org/scripts/freedns.clients.php and look at the instructions for openWRT to get a feeling for how this works.

If the token is compromised, use your account and password at the site to get a new token.

Edit, BTW -- I use that service on my DD-WRT based router. Works like a charm.

Last edited by ewaller (2015-01-20 18:11:12)

Leonid.I · 2015-01-20 18:43:03

drcouzelis wrote:

My search for "linux safe to store passwords as plain text" came up with this very relevant thread:
http://stackoverflow.com/questions/2664 … plain-text
Summary: No, encrypting the password is not effective. The application needs to be able to access the password by itself, which means whatever method it uses to automatically decrypt a password will also be available to anyone else.

In general, this is an old problem discussed primarily in the context of mail-related software. See http://www.fetchmail.info/esrs-design-notes.html (sadly, thunderbird and claws-mail (and others) will symmetrically encrypt the passwd and not even set restricted permissions on .mozilla or .claws-mail dirs resp.).

Alad · 2015-01-20 19:57:52

sadly, thunderbird and claws-mail (and others) will symmetrically encrypt the passwd and not even set restricted permissions on .mozilla or .claws-mail dirs resp.

math@thinkpad ~ % ls -dl .thunderbird .mozilla
drwx------ 4 math math 37 Jan  3 21:24 .mozilla/
drwx------ 3 math math 48 Jan  4 22:03 .thunderbird/

?

15goudreau · 2015-01-20 21:50:41

ewaller wrote:

That particular site does not use passwords. It uses authorization tokens that you obtain from the site's webpage. The token becomes part of the URL that is passed into the DNS update request.
Take a look at https://freedns.afraid.org/scripts/freedns.clients.php and look at the instructions for openWRT to get a feeling for how this works.
If the token is compromised, use your account and password at the site to get a new token.
Edit, BTW -- I use that service on my DD-WRT based router. Works like a charm.

Your link doesn't go anywhere for me. I get a webpage not available?

Thanks for the clarification about the passwords. It's odd that they include it but it's not needed don't you think?

drcouzelis wrote:

My search for "linux safe to store passwords as plain text" came up with this very relevant thread:
http://stackoverflow.com/questions/2664 … plain-text
Summary: No, encrypting the password is not effective. The application needs to be able to access the password by itself, which means whatever method it uses to automatically decrypt a password will also be available to anyone else.

Thanks for that link. I didn't see that before and your google foo skills are a tad better than mine .

Well that definitely answers my question on how to store the passwords. Thanks guys!

ewaller · 2015-01-20 21:58:54

15goudreau wrote:

Your link doesn't go anywhere for me. I get a webpage not available?
Thanks for the clarification about the passwords. It's odd that they include it but it's not needed don't you think?

Perhaps it was because I was logged on to the site when I copied the link
I do not use the same tool that you are trying to use. In my case, my router is aware of the service and has the code to handle it based on the URL method they talk about on their site. The only credentials used by the router is the token.

Leonid.I · 2015-01-20 22:21:24

Alad wrote:

sadly, thunderbird and claws-mail (and others) will symmetrically encrypt the passwd and not even set restricted permissions on .mozilla or .claws-mail dirs resp.
math@thinkpad ~ % ls -dl .thunderbird .mozilla
drwx------ 4 math math 37 Jan  3 21:24 .mozilla/
drwx------ 3 math math 48 Jan  4 22:03 .thunderbird/
?

Hmm, I clearly remember that at least Claws was not chmod'ing its config dir (I use mutt now). I'll check again. Are you sure you don't have a 0077 umask? Otherwise, I'll take what I said earlier back

Alad · 2015-01-21 20:45:30

Yep, umask 022.

math@thinkpad ~ % umask
022

Haven't seen the need to umask 0077 as I don't have public www folders and stuff.

Last edited by Alad (2015-01-21 20:46:41)

Arch Linux

#1 2015-01-20 16:54:13

[ANSWERED] Is it safe to keep this password in plain text?

#2 2015-01-20 17:01:12

Re: [ANSWERED] Is it safe to keep this password in plain text?

#3 2015-01-20 17:15:47

Re: [ANSWERED] Is it safe to keep this password in plain text?

#4 2015-01-20 18:09:38

Re: [ANSWERED] Is it safe to keep this password in plain text?

#5 2015-01-20 18:10:12

Re: [ANSWERED] Is it safe to keep this password in plain text?

#6 2015-01-20 18:43:03

Re: [ANSWERED] Is it safe to keep this password in plain text?

#7 2015-01-20 19:57:52

Re: [ANSWERED] Is it safe to keep this password in plain text?

#8 2015-01-20 21:50:41

Re: [ANSWERED] Is it safe to keep this password in plain text?

#9 2015-01-20 21:58:54

Re: [ANSWERED] Is it safe to keep this password in plain text?

#10 2015-01-20 22:21:24

Re: [ANSWERED] Is it safe to keep this password in plain text?

#11 2015-01-21 20:45:30

Re: [ANSWERED] Is it safe to keep this password in plain text?

Board footer