In applications, please consider the following best practices when setting and handling passwords:
- All application integration points must be secured with a strong password [1], certificate authentication, or a Kerberos principal. This includes but is not limited to database connections, RESTful and SOAP web services, SSH/SFTP calls to a platform.
- The secret (private key, or password) should not be hard-coded into the source code of the application or stored in the source code repository.
- The secret should be encrypted at rest wherever possible and appropriately secured on the file system per the platform security standards. (Note that in some cases such as SSH keys, the associated private key file cannot itself be encrypted, since the OS needs it in a clear-text state to function.)
- On a periodic basis, change any keys or passwords used by the application. This should be a tested, documented procedure in order to minimize the risk of downtime. Particularly for older applications, check for weak passwords.
[1] Use a locally-installed password generator (e.g. Tools->Generate Password in KeePass or LastPass's Generate Secure Password function, or the apg utility). The generated password should follow the guidelines for setting PennKey passwords here: https://weblogin.pennkey.upenn.edu/changepassword