tags:

views:

121

answers:

1
+2  Q: 

Best Practices for storing passwords in Windows Azure

For those in the know, what recommendations do you have for storing passwords in Windows Azure configuration file (which is accessed via RoleManager)? It's important that:

1) Developers should be able to connect to all production databases while testing on their own local box, which means using the same configuration file,

2) Being Developers need the same configuration file (or very similar) as what is deployed, passwords should not be legible.

I understand that even if passwords in the configuration were not legible Developers can still debug/watch to grab the connection strings, and while this is not desirable it is at least acceptable. What is not acceptable is people being able to read these files and grab connection strings (or other locations that require passwords).

Best recommendations?

Thanks,

Aaron

+1  A: 

Hum, devs are not supposed to have access to production databases in the first place. That's inherently non-secure, no matter if it's on Azure or somewhere else. Performing live debugging against a production database is a risky business, as a simple mistake is likely to trash your whole production. Instead I would suggest to duplicate the production data (eventually as an overnight process), and let the devs work against a non-prod copy.

Joannes Vermorel  2009-09-11 13:48:38
I understand, but the core issue is where/how these passwords should be stored in the first place. Developers for instance connect to a "dev" environment, which should also be secured.
Aaron  2009-09-12 11:53:55
Passwords and the like (connection strings) should be stored in your azure package configuration file. That's the logical place for that. Then concerning the "dev" environment, I think there are 2 simple practices 1) know the persons that you trust with credentials 2) change credentials when people quit the dev team.
Joannes Vermorel  2009-09-12 17:50:54

related questions

What are some good security questions?
What's a good alternative to security questions?
Protect embedded password
How do you generate passwords?
Should I impose a maximum length on passwords?
How best to generate a random string in Ruby
What is the best way to check the strength of a password?
In a client-server application: How to send to the DB the user's application password?
How does your company manage credentials?
Replacing plain text password for app
How to implement password protection for individual files?
Password generation, best practice
Unique key generation
Generating Random Passwords
Oracle lost sysdba password
How does one decrypt a PDF with an owner password, but no user password?
Storing Windows passwords.
How do I avoid having the database password stored in plaintext in sourcecode?
How do I write Firefox add-on that automatically enters proxy passwords?
How to store passwords in Winforms application?
Two-way password encryption without ssl
Disable browser 'Save Password' functionality
Simple password encryption
Best way to store a database password in a startup script / config file?
Encrypting Passwords