24Nis
Password storage/retrieval for local network server
I have an application server, written in C++ and also uses REST API to serve requests. There is no database, just a simple service which returns if the content of request is valid.
Situation
The server is in a local network and only reachable there, has no internet connections, and only meant to serve request from the same local network.
Our solution
Now I want to secure the REST API with Basic Authentication, with one user only, and have no idea if this following method to store password is secure enough :
- The password will be passed as parameter on deployment
- The deployment will encrypt (with DES) the password with a key, store it in an environment variable, say PASSWORDENV, whereas the key will be hard-coded in the application code.
- When request comes, the application should read the HTTP headers for id and password, encrypts the password, and compares with PASSWORDENV
Concerns
- The encryption key is hardcoded, but I dont know any other way else to verify the password
- Is there any security problem with our solution ?
