Mark Walker wrote:
I'm curious. How do you feel about having a scrambling algorithm
embedded in your application, but having the scrambled password publicly
readable in a config file? Does that seem secure? This is what you
have to do if you want your users to connect to different databases
choosing their own password.
I never said anything about a readable config file.
If your users are specifying their own password and you want to store
passwords in a local config file on the users system then nothing is
stopping you doing so. If this was the case I would put only what the
user specifies in said config file, then when the password is retrieved
from the file on application startup, perform your hashing/adding secret
words etc. Anything I've done I do this way (in most cases though I use
the registry rather then a config file since I deal primarily with
weenblows.
How would you deal with open source applications where the
scrambling/unscrambling algorithms would presumably be public? Are
there methodologies for developing custom algorithms that could be
triggered during builds?
Open source applications are a different situation altogether. The kind
of security that Andrus appears to be looking for would give the
impression that it is not an open source application he is dealing with.
I could be wrong though.
Having said that, yes if you are using an open source application any
scrambling algorithms would be public, as would any passwords embedded
within your source.
In this case, then perhaps a 'proxy' application running on your own
server would be the best option (I think someone else suggested this
earlier in the thread) for serving the database requests.
--
Paul Lambert
Database Administrator
AutoLedgers