Bug 178169 - Insecure storage of database passwords
Insecure storage of database passwords
Status: VERIFIED FIXED
Product: db
Classification: Unclassified
Component: Code
6.x
All All
: P2 (vote)
: 6.x
Assigned To: Jiri Rechtacek
issues@db
:
Depends on: 173413
Blocks:
  Show dependency treegraph
 
Reported: 2009-12-04 13:25 UTC by Jesse Glick
Modified: 2010-05-12 11:30 UTC (History)
0 users

See Also:
Issue Type: DEFECT
:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jesse Glick 2009-12-04 13:25:01 UTC
config/Databases/Connections/jdbc_derby___*.xml#/connection/password/@value stores a user password in an insecure fashion (Base64.byteArrayToBase64), and probably other database modules do the same since DatabaseConnectionConvertor seems to be responsible. Should be fixed to use the proposed keyring API.

For compatibility, when reading old settings, read the password; store to keyring; then delete the password from disk.
Comment 1 Jiri Rechtacek 2009-12-18 04:29:57 UTC
Also need to improve storing password in db.mysql as well.
Comment 2 Jiri Rechtacek 2009-12-18 10:11:16 UTC
Using Keyring API doesn't pass well in current handling DatabaseConnection via InstanceDataObjects. Reading/Saving passwords while startup/closing IDE sesstion is intruded by filling a master password. Moreover, some sample DB Connection are prepared incl. well-known password and users don't like to setup a master password in such cases in each session. IMHO it needs UI review how and where change it.
Comment 3 Jesse Glick 2009-12-18 11:22:37 UTC
A master password dialog is only shown on platforms which do not have a native keyring or login encryption, such as Solaris 10/JDS or KDE. Most users should never see this. If you come across this dialog when using a commonly encountered platform please file an issue with details to reproduce.

For sample databases with well-known passwords, don't try to store the default password in the keyring. It does not make any sense. The keyring should be for secrets.

True passwords should be saved when you make the DB connection, not at IDE shutdown. Probably database connections should not be made automatically during IDE startup; slows down startup anyway, and is not necessary unless you either (1) expand the DB node under Services or (2) run an app using that connection, both of which could be checked for separately I guess.
Comment 4 Jiri Rechtacek 2009-12-21 01:13:41 UTC
> --- Comment #3 from Jesse Glick <jglick@netbeans.org>  2009-12-18 11:22:37 ---
> A master password dialog is only shown on platforms which do not have a native
> keyring or login encryption, such as Solaris 10/JDS or KDE. Most users should
> never see this. If you come across this dialog when using a commonly
> encountered platform please file an issue with details to reproduce.
Aha, I don't know it. I'm seeing master-password dialog nn my Ubuntu9.10(Gnome) too. Probably I need to switch on something.

> For sample databases with well-known passwords, don't try to store the default
> password in the keyring. It does not make any sense. The keyring should be for
> secrets.
Right, It's need to make a difference for sample and rest of databases.

> True passwords should be saved when you make the DB connection, not at IDE
> shutdown. Probably database connections should not be made automatically during
> IDE startup; slows down startup anyway, and is not necessary unless you either
> (1) expand the DB node under Services or (2) run an app using that connection,
Yes, it's the current state.
> both of which could be checked for separately I guess.
Comment 5 Jesse Glick 2009-12-21 10:30:28 UTC
(In reply to comment #4)
> I'm seeing master-password dialog [o]n my Ubuntu9.10(Gnome)

Then something is definitely amiss. (This is the same environment I use.) Run with

  -J-Dorg.netbeans.modules.keyring=0

for clues.
Comment 6 Jiri Rechtacek 2010-05-05 08:13:56 UTC
core-main/rev/0129487941e2
Comment 7 Michael Nazarov 2010-05-12 11:30:42 UTC
Looks good for me. DB connections work as expected and there are no plain passwords found.
Checked on Windows and Linux.


By use of this website, you agree to the NetBeans Policies and Terms of Use. © 2012, Oracle Corporation and/or its affiliates. Sponsored by Oracle logo