|
|
|
|
|
|
by tomhallett
1262 days ago
|
|
|
Sorry, I'm not referring to "end user credentials" which can be salted and hashed. I'm referring to user data which has to be stored in the database. For example, let's talk about the BI tool, mode.com. As a customer, I login to mode.com and click the "New Database Connection" button, where I get a screen to input the connection information for my postgres database: host, username, password, port, etc. If you are a developer at mode.com, what are the best practices to keeping `user_database_connections.password` secure? I can't hash the `password` column because I need to use the raw `password` when my code connects to the user's postgres database. I'm assuming I should encrypt the information, so an attacker who does a databse dump can't read the `user_database_connections` table, but what else should I do? Keep that information in a seperate database? seperate microservice? etc, etc. Other examples of tools which connect directly to the database(s) of the customer, so they store db creds of their customers in the saas database:
- hightouch.com
- fivetran.com
- explo.com |
|
|