topic Re: table password hideing, unlocking in SAS Programming

table password hideing, unlocking

ger15xxhcker — Thu, 23 Jan 2020 18:51:33 GMT

There is a table with important data. It is password protected. I would like to use this in a program. After processing the table I would use sha encryption. How do I unlock my password if:

-I would like it if the password was not visible in the code
-I would like it not to be visible in the log at run time

How could this problem be solved?

Thank you very much

Re: table password hideing, unlocking

SASKiwi — Thu, 23 Jan 2020 18:58:31 GMT

You can use the PWENCODE procedure to encode the password: https://documentation.sas.com/?docsetId=proc&docsetTarget=n1vzmasf0tdebfn1xec0k1tevq7q.htm&docsetVersion=9.4&locale=en

That doesn't prevent someone else copying the encoded version and using it in their own programs though.

Re: table password hideing, unlocking

ger15xxhcker — Thu, 23 Jan 2020 19:04:08 GMT

Thanks! Yes but this will show the burned password in code. It will not be visible in the log but it is not enough now.

Re: table password hideing, unlocking

SASKiwi — Thu, 23 Jan 2020 20:15:08 GMT

You can also make it a bit harder to find the password by storing it in a macro variable. By default SAS does not resolve macro variable values in SAS logs.

Re: table password hideing, unlocking

Quentin — Thu, 23 Jan 2020 21:56:29 GMT

If table means database table, and you're in a SAS metadata server environment, you've got lots of secure options for authentication. See e.g. this post from @ChrisHemedinger :

https://blogs.sas.com/content/sasdummy/2010/11/23/five-strategies-to-eliminate-passwords-from-your-sas-programs/

(And since it's almost 10 years old, there may be five newer strategies by now...)

Also see this other post by Chris, has examples of storing password (could be encrypted via pwencode value) in a secure text file, and reading that file to push the value to a macro variable.

https://blogs.sas.com/content/sasdummy/2018/01/16/hide-rest-api-tokens/

For the most part, if its obvious to SAS from the context of your code that a value is a password, e.g. (password=&password option or whatever), even if you have MPRINT on SAS won't show the resolved value in the log. Don't know about symbolgen.

Re: table password hideing, unlocking

Patrick — Fri, 24 Jan 2020 03:19:00 GMT

@ger15xxhcker

If you really want to secure your SAS table then store your data under a metadata bound library as documented here.

This will allow you to manage all data access via metadata security, you'll never have to pass a password via code, and you have multiple options how your physical data at rest should be encrypted.