Password Storage Security Policies¶
Sensitive data such as PPPoE/PPTP client, PPTP VPN, DynDNS passwords as well as
remote authentication servers RADIUS (shared secret), LDAP (bind user password),
and IPsec shared secrets, among others, appear in plain text or with reversible
Base64 encoding in the pfSense® software configuration file, config.xml
.
This is a deliberate design decision in m0n0wall that has been carried over
here.
Since the firewall cannot prompt the user for a password each time it is required, the implementations of affected areas require plain text passwords to operate. pfSense software could, of course, use some snake oil encryption on those passwords, but that would only create a false sense of security. Any encryption applied to the passwords could be reversed by anyone with access to the source code (i.e. everybody). Hashes like SHA256 cannot be used where the plain text password is needed at a later stage, unlike for the system password, which is only stored as a hash.
By leaving the passwords in plain text, it is very clear that config.xml
deserves to be stored in a secure location (and/or encrypted with one of the
countless programs out there). Any sort of hashing used would not be secure, and
would be dangerous because it would give the impression of security where none
exists.