search

PeepDB-dev / peepdb

CLI tool and python library to inspect databases fast.
https://docs.peepdb.dev/
GNU General Public License v3.0
289 stars 15 forks source link

Make storing passwords more secure or change the security mentions in README to better reflect how secure the app is #20

Closed evangelosmeklis closed 1 month ago

evangelosmeklis commented 1 month ago

"I would not consider your passwords secure at all. It doesn’t matter how strong your encryption is if you don’t manage your keys securely. Don’t advertise this as “secure.”"

Research needs to be done, either to make the keys storing more secure or changing for now the mentions regarding security

evangelosmeklis commented 1 month ago

I changed the README, but I'll leave this open in case more security features can be added in the future

hasija commented 1 month ago

Hey, I am new to opensource, I think, i can help with this one.

The cause of concern is with the storage of "Fernet key"

we can avoid storage all together by generating the same dynamically with a salt and password. And, we can inform users to store the credentials on thier side, instead of storing it locally. Also, giving an option to user fetch the same through a .env or giving a promt to input the same when connecting to DB.

Let me know if the above approach works, if so, then, i can pick this one. 😅

Ref: https://cryptography.io/en/latest/fernet/#using-passwords-with-fernet

Aherontas commented 1 month ago

Hello @hasija,

From my side makes sense to do that. One thing to add is that we probably should have an option to allow users to choose between inputting their password each time or using a stored method. For example, for users who prefer not to enter their password every time, suggest using secure storage solutions like OS-specific keyrings or encrypted files.

hasija commented 1 month ago

Yes,

I could store the Fernet key as value in the keychain using the python keyring lib. This would go with the current implementation and, then we could add an option to specify password for dynamic generation of fernet key as well.

Does this sound good?

Ref: https://github.com/jaraco/keyring

evangelosmeklis commented 1 month ago

@hasija yes do go ahead, remember to run the unittests before opening a PR and also add unittests for anything new you add to the main code. I have assigned this issue to you, let me know if anything changes