I am new to installing Discourse, and recently set it up on a Digital Ocean Droplet for us as our company forum/community page.
During the install, I noticed the SMTP password entry is not protected, and it is stored as plain text in the app.yml file.
That seems like a potential security issue. However, I am not a networking/security expert, so this may be just fine for a number of reasons. But in order to keep our IT Manager happy, it would help me if I can better understand why it’s done this way.
I know Discourse is widely used by many companies, so I suspect that this topic has been sufficiently addressed already.
Hashes are one-way, they can’t be reversed back to the original data.
User passwords are hashed because they don’t need to be reversible. A password hash in the database is only consulted when the user tries to log in. The hash of the provided password is compared against the password hash stored against that user record.
It’s fairly common for things like SMTP passwords and API keys to be stored in plain text. They need to be transmitted in their original form, so hashing them would prevent their use. If the third party accepted a hash of the password there would be no benefit in hashing as a form of protection.
As Jay said above, if the physical integrity of your server is compromised and your app.yml is accessed you have significantly bigger problems to worry about than the need to reset an SMTP password.
One important caveat here- you shouldn’t be using the SMTP password anywhere else - but that’s not specific to Discourse. It’s good security practice for all systems and every account.
As Jay said, if someone gets access to your app.yml, you have other problems. That means they likely have full root access to your server including your production database.
The best practice here would be making sure your server is secure.
I agree that protecting the server is the first line of defense. However, in this case it’s out of my control since I have installed Discourse on a Digital Ocean Droplet.
@Stephen - thanks for the background info on SMTP passwords. I did not know that it’s common to store them in plain text for this kind of use. Like I said, this is outside my area of expertise. It’s just something that caught my attention, and I wanted to ask.
Not exactly You can restrict logins to an SSH key only, have a running firewall, and make sure security patches are applied regularly. That’s a significant percentage of securing a droplet.
That’s right. And unless you have your file system encrypted, which is difficult to do, then you have to trust them too. They have physical access to the servers and the network.
As explained, you just have to have the password on order to use it.
You can restrict logins to an SSH key only, have a running firewall, and make sure security patches are applied regularly. That’s a significant percentage of securing a droplet.