On Mon, 13 Jul 2015 17:44:09 +0300, Alex Peshkoff <peshk...@mail.ru> wrote: > On 07/13/2015 04:07 PM, Paul Reeves wrote: >> On Monday 13 July 2015 13:33:48 Alex Peshkoff wrote: >>> Windows installer still suggests as a default to provide legacy >>> authentication. For how long do we keep insecure choice as a default? >> That is a very good question. >> >> In my opinion it should be the default for v3.0, > > I strongly disagree with that suggestion. > Plain passwords traveling over the wire is the Achilles heel of firebird
> security for many years, and we should not keep it as the default for > some more years. The rule of dumb is that default setup must be as > secure as possible, and only having that solid background we may provide > to users options for backward compatibility. As far as I recall we had this discussion last year (or two years ago). I believe we settled on having legacy authentication enabled by default for sake of ease of transition, especially as most connection libraries that do not use fbclient.dll/libfbclient.so are not ready to use the new authentication model. Mark ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
