0

Curious whether or not it is a bad idea to create Users with password in db:seeds for development?

Michael Durrant
  • 93,410
  • 97
  • 333
  • 497
botbot
  • 7,299
  • 14
  • 58
  • 96

3 Answers3

4

It's generally a bad practice because of the small but certain number of times that they will 'somehow' be forgotten about and created in production. So that's the biggest thing to know and be aware of. Good security is about beig attentive to as many layers and possibilities as possible. It's never a 'one thing to look at' issue.

Caveat given.. I think it's fairly ok. You really need those users for development and testing. Therefore I recommend doing the following:

  • Enter a ticket now in your ticket tracking system, that before go-live you will check the production system for such accounts.

  • even test and dev accounts should have real passwords like BIGmy2+catz, NOT "password", "abc123", "change-me", etc.

  • consider excluding the seeds file in your source control (e.g. .gitignore for git) so that they aren't even on the remote server.

  • consider encrypting the file. and decrypting it "as needed" and then delete the decrypted file immediately after use.

  • Be careful and cautious when running the rake db:seed command and think carefully about what's in the current seeds.rb file and where the data will be visisble from e.g. public internet.

At the end of the day it is always a balance between the conflicting goals of:

Securing and protecting the data
and
Allowing developers to get their work done without too many hurdles.

Community
  • 1
  • 1
Michael Durrant
  • 93,410
  • 97
  • 333
  • 497
  • i think i have to agree with you, seems like something you wouldn't want to keep stored anywhere. but if there was a well known standard for doing that i'd definitely like to save some time and try... thanks for the detailed answer. – botbot Aug 02 '12 at 02:28
1

You should avoid storing password in clear text and commit them to the repo. that being said, think about it this way, if you broadcast these username/passwords clearly on the site would it do any damage (lets say dummy user to show off the system) if not than go ahead and do it as part of the seed.

Yuriy Goldshtrakh
  • 2,014
  • 1
  • 11
  • 7
  • just looking for the convenience of creating these users, or even a large list of multiple users... now that i think of it, maybe parsing a yml file out of the project directory might work but moving it across systems may be a pain – botbot Aug 02 '12 at 02:00
1

It's in development, right? Does anyone have access to your dev machine and what could they do with it? I think it's fine. Seeds shouldn't run on production.

Rimian
  • 36,864
  • 16
  • 117
  • 117