Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [dtp-dev] BZ Bug 163502 - db connection password is stored in clear text

Hey all,

> We are considering a solution to this bug but would like to get some
> feedback before implementing it. The problem is that the driver
> template, which can specify user ID and password defaults, is
> specified in plugin.xml and unencrypted. The two options that are
> being floated around are:
> 1) Suggest that people not include the default password as a
> property in their driver template, since it is not encrypted.
> 2) In the Driver Edit dialog, where the driver template properties
> are listed with their defaults, we should remove the masking for the
> password property to show more clearly that it is unencrypted.
> What do you think about removing the masking of the password for
> driver definitions? The encryption and password masking would stay
> in place for profiles, which are minimally encrypted at this point.
> But we would show the password (if included) for driver templates in
> plaintext.

I think it's important to point out that this information is used solely
for initializing fields in the new connection profile wizard.  The initial
use case was to have these values (UID/PWD) defaulted to well known (i.e.
documented) values.  For example, the uid/pwd for a sample DB included as
part of the install; or, less likely, the default admin uid/pwd for a
server (e.g. "sa"/"" for ASE).  It was not intended for specifying specific
credentials for a specific user (although it can be, which I think is part
of the problem).

Anyway, my vote would be to remove the password field.  If this isn't the
"winning" proposition, I think the property name should be changed to
"Default password" (as should the other properties in the driver
definition; i.e. they should be prefixed with "default").


Back to the top