Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
When you export the config the user and password are exported. People commit their config so you can end up with this information in your git and then on GitHub. Not only you can then bypass the shield, but people may use similar password for their admin account.
This is not a theoretical issue. A quick search on GitHub would prove it.
This module should follow a strict secure by design approach in my opinion.
Comments
Comment #2
japerryThe username/password stored by shield is not meant to be secure. If a site needs additional protection around the username/password, you should store them in the key module, which is an optional component for shield.
Comment #3
gagarine CreditAttribution: gagarine as a volunteer commentedIt's not about how you think people should use the module, but about the real world. Storing passwords in the config export is against https://en.wikipedia.org/wiki/Secure_by_design principle, period. Not follow such principle is irresponsible and gives a very bad image to Acquia as a supporting organization of this module.
Today there are people using this module, doing an export (certainly without really checking what is exported), and committing this to public repositories. As a result, it's trivial to find credentials.
They should have not done this and using the same password twice is bad. And yet...
There are things that can be done (avoiding going against decades of good practices of NOT storing passwords in clear, not even on DB):
Hash functions:
If you want to follow unsafe process, feel free, but releasing insecure product is not cool and can have dramatic consequences.
Comment #4
japerrySorry, but I believe you're fundamentally misunderstanding what Basic Auth, and by extension Shield, does and doesn't do.
First, Basic auth is, by definition, not secure. Just because it says 'username' and 'password' doesn't mean you should be linking it to anything you care about. If you are using basic auth to secure your Drupal site (IE serving sensitive data via anonymous pages and protecting it with basic auth), you're doing it wrong
Second, the main purpose of this module is to provide a basic gate against crawlers and the general public from 'stumbling' upon dev sites. Even with the key module, the password that is sent over the wire can easily be sniffed and should never be considered secure. If someone really wants into your dev site, shield likely won't protect you.
Third, if a site maintainer is exporting their website config to a public repo, they have more than shield keys to be worried about.
That all said, it might be useful to add a warning below the default 'provider' username/password fields to indicate that the username/password is stored in plain text... and to use the key module provider instead if you want other options (env variables, settings.php, etc) other than config.
But for all of the sites I've seen that use shield, the username/password is easily guessable and really only there to stop crawlers from indexing a dev site. It really shouldn't be used for anything else.
From the RFC:
Note, while you could configure your server/site to always use SSL, I'd still recommend against it.
Comment #5
geek-merlinThanks @japerry for taking the time to consider and write up the thorough reasoning.
Point 3 alone is enough to invalidate the IS reasoning.
That said, i agree that improving docs about this topic is a good thing.
Comment #6
geek-merlinComment #7
gagarine CreditAttribution: gagarine as a volunteer commentedThanks for the precision.
Then the description is misleading
At no time I see "this module provide no security. It only purpose is to hide the website from commons crawler such as Google with a insecure implementation of HTTP auth".
But even if we disagree, using the salt to hash the password seem a no brainer.
Comment #8
japerryWe could add a salt, however I've onboarded quite a few clients who only knew their password through the config or a confluence page. Since it is almost always a shared password among a team, its already not secure. Heck, I'd argue the password on the config page itself should be changed to be a textfield instead of a password type, to make it very clear that its not supposed to be secure. So my preference would be to add documentation suggesting use of the key module when tighter security is desired, and the built-in functionality is primarily a basic stop to outsiders from casual access.
Comment #9
geek-merlinYes, we should communicate in a way that does not raise too high security expectations.
Let's bikeshed a good text for the module page and readme here, and update it accordingly.