1 message in com.mysql.lists.win32RE: Warning: registry stores odbc-pas...| From | Sent On | Attachments |
|---|---|---|
| Ismael Touama | 06 Sep 2001 00:46 |
| Subject: | RE: Warning: registry stores odbc-password as clear text |
|---|---|
| From: | Ismael Touama (isma...@install.fr) |
| Date: | 09/06/2001 12:46:25 AM |
| List: | com.mysql.lists.win32 |
Hi Venu and List!
Thanks for replying.
I bring some details concerning my.ini. It seems I don't have in my register any password. I use a DSN-less connection to connect MySQL.
I changed few days ago, my super-user password and then my.ini contains the old one. It'seems that is winmysqladmin who set the FIRST value of the super-user password.
Yes, it's clear that as MySQL is an open source, any cracker can use your own method to decrypt the pass. So to have a more secure configuration, we have to follow a secure administration managment of OS.
Are WinNT and W2K OS secure only if their partition (or installation) are put as NTFS ?
Thanks, Ismaël.
-----Message d'origine----- De : Venu [mailto:ve...@mysql.com] Envoyé : jeudi 6 septembre 2001 06:58 À : Scott Swift; Ismael Touama; Hakan Elmqvist; myo...@lists.mysql.com Objet : RE: Warning: registry stores odbc-password as clear text
Hi scott !!
)-----Original Message----- )From: Scott Swift [mailto:fssw...@celer.org] )Sent: Wednesday, September 05, 2001 9:46 PM )To: 've...@mysql.com'; Ismael Touama; Hakan Elmqvist; )myo...@lists.mysql.com )Subject: RE: Warning: registry stores odbc-password as clear text ) ) )The registry is secure if you're using Windows NT/2000 as it wont allow )other users to browse through your HKEY_USER branch (provided that )you also )trust your administrators) ) )I cant remember for sure but I think the only time ODBC will store any )values under the HKEY_LOCAL_MACHINE branch (which is vunerable) is if you )create File DSN rather than a User/System DSN ) Yes, one way its right.
Regards, venu
-- For technical support contracts, go to https://order.mysql.com/ __ ___ ___ ____ __ / |/ /_ __/ __/ __ \/ / Mr. Venu <mailto:ve...@mysql.com> / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Developer /_/ /_/\_, /___/\___\_\___/ Woodside, California USA <___/ www.mysql.com ) )-----Original Message----- )From: Venu [SMTP:ve...@mysql.com] )Sent: Wednesday, September 05, 2001 9:10 PM )To: Ismael Touama; Hakan Elmqvist; myo...@lists.mysql.com )Subject: RE: Warning: registry stores odbc-password as clear text ) ))-----Original Message----- ))From: Ismael Touama [mailto:isma...@install.fr] ))Sent: Monday, September 03, 2001 8:04 AM ))To: Hakan Elmqvist; myo...@lists.mysql.com ))Subject: RE: Warning: registry stores odbc-password as clear text )) )) ))Hi, )) ))it's the same in my.ini... )) ))ism )) ))-----Message d'origine----- ))De : Hakan Elmqvist [mailto:hak...@ki.se] ))Envoye : dimanche 2 septembre 2001 11:10 ))A : myo...@lists.mysql.com ))Objet : Warning: registry stores odbc-password as clear text )) )) ))By accident I found that the widows registry stores the password as clear ))text under several keys. This applies to MyODBC as well as to the other ))drivers. ))Take for instance a look under )) ))[HKEY_LOCAL_MACHINE\Software\ODBC\ODBC.INI\***] ))[HKEY_USERS\***\Software\ODBC\ODBC.INI\***] )) ))So if you are security minded do not fill out the password in the setup )box ))(This does not only apply to ODBC, you may find your passwords under other ))keys in the registry aswell, do a scan and see what turns up) ))H ) )Monty's comment on this.... ) )" )Venu> I am not sure whether this is a right way of doing it . Is it so ? )Why )can't )Venu> we store by encrypting before setting it in to the registry, and )decrypting )Venu> it whenever needed ( even in the similar lines) ? Can we do this )logic )for )Venu> MyODBC3 driver ? ) )This will not help. As MyODBC is free source, it would be trivial for )any decent cracker to find the MyODBC password entries and use our own )decrypt algorithm to decrypt the password. ) )If we can't fix this properly, I don't think we should try to fix this )at all; Storing something that looks secure but isn't will just create )false confidence and in the long run just make things worse. ) )Venu> Also, some one pointed that we are also storing the password in the )similar )Venu> lines in my.ini file and it looks to me true when I saw its contents, )and it )Venu> clearly displays the password in the character string. ) )Yes; If one stores a password in the my.ini one should be sure that )the file is protected by the OS and is only readable by the user in )question. " ) )Regards, venu )-- )For technical support contracts, go to https://order.mysql.com/ ) __ ___ ___ ____ __ ) / |/ /_ __/ __/ __ \/ / Mr. Venu <mailto:ve...@mysql.com> ) / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Developer )/_/ /_/\_, /___/\___\_\___/ Woodside, California USA ) <___/ www.mysql.com ) ) )--------------------------------------------------------------------- )Please check "http://www.mysql.com/Manual_chapter/manual_toc.html" before )posting. To request this thread, e-mail myod...@lists.mysql.com ) )To unsubscribe, send a message to the address shown in the )List-Unsubscribe header of this message. If you cannot see it, )e-mail myod...@lists.mysql.com instead. )
--------------------------------------------------------------------- Please check "http://www.mysql.com/Manual_chapter/manual_toc.html" before posting. To request this thread, e-mail myod...@lists.mysql.com
To unsubscribe, send a message to the address shown in the List-Unsubscribe header of this message. If you cannot see it, e-mail myod...@lists.mysql.com instead.