|
|
|
|
|
|
by wernerb
1264 days ago
|
|
|
I'm not sure what you are asking. For any reasonable service/Saad this is by far not te norm for end user credentials. They are always hashed, hopefully salted and with a strong algorithm. Administrator credentials are harder yes. Something like hashicorp vault can be made to fit any company (custom backend plugins). For most stuff it already has backend plugins available (ssh, any rdbms). The open source version I have seen can fit a large fintech startup no problem. |
|
|
For example, let's talk about the BI tool, mode.com. As a customer, I login to mode.com and click the "New Database Connection" button, where I get a screen to input the connection information for my postgres database: host, username, password, port, etc. If you are a developer at mode.com, what are the best practices to keeping `user_database_connections.password` secure? I can't hash the `password` column because I need to use the raw `password` when my code connects to the user's postgres database.
I'm assuming I should encrypt the information, so an attacker who does a databse dump can't read the `user_database_connections` table, but what else should I do? Keep that information in a seperate database? seperate microservice? etc, etc.
Other examples of tools which connect directly to the database(s) of the customer, so they store db creds of their customers in the saas database: - hightouch.com - fivetran.com - explo.com