RE: [JBoss-user] how to encode database password in descriptor file mysql-ds.xml

Mon, 02 Feb 2004 11:37:16 -0800

Title: Re: [JBoss-user] how to encode database password in descriptor file mysql-ds.xml
No, I don't think asking for the password at startup would be
desirable.  No one wants to hang around the console when the
machine is booting.  And the app server is probably on some server
in some machine room where no one would notice any prompt
on the console anyway.
 
JD
 
-----Original Message-----
From: Rupp, Heiko [mailto:[EMAIL PROTECTED]
Sent: Monday, February 02, 2004 9:03 AM
To: [EMAIL PROTECTED]
Subject: RE: [JBoss-user] how to encode database password in descriptor file mysql-ds.xml

I am still not convinced, but I see your point.
 
Would it help/make sense that the server asks for the password at startup?
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of JD Brennan
Sent: Friday, January 30, 2004 10:06 PM
To: [EMAIL PROTECTED]
Subject: RE: [JBoss-user] how to encode database password in descriptor file mysql-ds.xml

Storing a private key in a java .class file does add a useful level of
security.
 
1) Customers perceive this as valuable.  They aren't geeks, so they
don't get it, but they still buy your product or not.  And if your
competitor obscures the DB password and you don't, then that's
one more reason to buy from the competitor.
 
2) A private key embedded in a .class will keep out some less
sophisticated crackers.  And that adds value.   Think about why
you lock the door to your house.  You know that won't keep anyone
out.  They can freeze the lock, pick it, break a window.  A key
door lock isn't real security.  But you do it anyway, because it does
add some value (keeping out unsophisticated thieves).
 
JD
 
-----Original Message-----
From: Rupp, Heiko [mailto:[EMAIL PROTECTED]
Sent: Friday, January 30, 2004 10:22 AM
To: [EMAIL PROTECTED]
Subject: Re: [JBoss-user] how to encode database password in descriptor file mysql-ds.xml

<...>

And now .. when the server encrypts the password it either does some trivial thing (like rot13 encoding) or it uses a real (possibly symmetrical) encryption algorithm. In the later case, it uses a key to help encryption. This key is stored somewhere in the server, where at the end everyone can read it and use it with the said encryption algorithm. The key/password is only secured by obscurity.

   Heiko

 

 

Reply via email to