- This topic has 4 replies, 4 voices, and was last updated 19 years ago by Riyad Kalla.
-
AuthorPosts
-
GE Healthcare SupportMemberHello,
Recently after reviewing MyEclipse with our DBAs, they were concerned that it:
1. Gives the user the option of saving the database password
2. Stores that password in clear textShort-term we’d like it if MyEclipse could provide us with a version of sqlexplorer that either doesn’t have the save password option, or is just broken where it doesn’t write the proper or any value in the password area of the stored connections.
Long-term, or if you can provide quickly even as a pilot to us, we might be able to live with a solution where the password was hashed, but there are some DBAs in our company that might still prefer the ability to only hand out the tool without save password as an option.
Obviously you need a solution that is maintainable as a single development stream for MyEclipse though. I’m sure that others would want password encryption and perhaps there could be a hidden preference that we (or other enterprise MyEclipse clients) could hard code ourselves into the preference file regarding not completing the save portion of a password so that we could achieve our limitation of the product, but all normal users wouldn’t see this. Let me know what might be possible,
Jay
Riyad KallaMemberJay,
This was forwarded to the folks that will take care of you, stay tuned.
Scott AndersonParticipantJay,
Thank you for your comments. We recognize that saving the DB password in clear text is a significant problem and have recently added a bug report for it. In the next release of MyEclipse, the password will follow the” Eclipse CVS password save convention” that we also use in our Bugzilla plugin, which is to DES-encrypt the password in the preference store. Deciding to use any of the password save features in the product will continue to be a user / organization policy decision.
Since it sounds like there is some discomfort with saving passwords at all within your organization, regardless of whether or not they’re encrypted, would it be possible for you to simply make it clear to your user base what the corporate policy is regarding this issue? If you determine that something more is absolutlely required, I’d encourage you to contact the company representatives you dealt with while setting up your enterprise license as they’ll likely be able to discuss other custom options for you.
anderma8MemberI’m trying to write a quick utility that will encrypt a string. Can anyone point me to where I might find something on the web? I’ve found cryptix so far, but I’m sort of going blind on this one. I don’t have much experience with encryption… yet 9hehe)
Thanks…
Riyad KallaMemberanderma8,
Look up “Java MD5 encoding” on google, that should get you started with the Digest class and basically how encoding/decoding works (wel in the case of 1-way hash’s like MD5, there is no decoding step). -
AuthorPosts