This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
| Summary: | Insecure storage of database passwords | ||
|---|---|---|---|
| Product: | db | Reporter: | Jesse Glick <jglick> |
| Component: | Code | Assignee: | Jiri Rechtacek <jrechtacek> |
| Status: | VERIFIED FIXED | ||
| Severity: | normal | ||
| Priority: | P2 | ||
| Version: | 6.x | ||
| Hardware: | All | ||
| OS: | All | ||
| Issue Type: | DEFECT | Exception Reporter: | |
| Bug Depends on: | 173413 | ||
| Bug Blocks: | |||
|
Description
Jesse Glick
2009-12-04 13:25:01 UTC
Also need to improve storing password in db.mysql as well. Using Keyring API doesn't pass well in current handling DatabaseConnection via InstanceDataObjects. Reading/Saving passwords while startup/closing IDE sesstion is intruded by filling a master password. Moreover, some sample DB Connection are prepared incl. well-known password and users don't like to setup a master password in such cases in each session. IMHO it needs UI review how and where change it. A master password dialog is only shown on platforms which do not have a native keyring or login encryption, such as Solaris 10/JDS or KDE. Most users should never see this. If you come across this dialog when using a commonly encountered platform please file an issue with details to reproduce. For sample databases with well-known passwords, don't try to store the default password in the keyring. It does not make any sense. The keyring should be for secrets. True passwords should be saved when you make the DB connection, not at IDE shutdown. Probably database connections should not be made automatically during IDE startup; slows down startup anyway, and is not necessary unless you either (1) expand the DB node under Services or (2) run an app using that connection, both of which could be checked for separately I guess. > --- Comment #3 from Jesse Glick <jglick@netbeans.org> 2009-12-18 11:22:37 --- > A master password dialog is only shown on platforms which do not have a native > keyring or login encryption, such as Solaris 10/JDS or KDE. Most users should > never see this. If you come across this dialog when using a commonly > encountered platform please file an issue with details to reproduce. Aha, I don't know it. I'm seeing master-password dialog nn my Ubuntu9.10(Gnome) too. Probably I need to switch on something. > For sample databases with well-known passwords, don't try to store the default > password in the keyring. It does not make any sense. The keyring should be for > secrets. Right, It's need to make a difference for sample and rest of databases. > True passwords should be saved when you make the DB connection, not at IDE > shutdown. Probably database connections should not be made automatically during > IDE startup; slows down startup anyway, and is not necessary unless you either > (1) expand the DB node under Services or (2) run an app using that connection, Yes, it's the current state. > both of which could be checked for separately I guess. (In reply to comment #4) > I'm seeing master-password dialog [o]n my Ubuntu9.10(Gnome) Then something is definitely amiss. (This is the same environment I use.) Run with -J-Dorg.netbeans.modules.keyring=0 for clues. core-main/rev/0129487941e2 Looks good for me. DB connections work as expected and there are no plain passwords found. Checked on Windows and Linux. |