ODBC MySQL Password as plain text

am 18.11.2009 18:59:05 von Tompkins Neil

--001485f77260a985080478a8ffaa
Content-Type: text/plain; charset=ISO-8859-1

Hi

The MySQL ODBC connection password is stored as plain text in the Windows
registry. What is the best way to overcome this issue - to ensure the
password is saved securely

Thanks,
Neil

--001485f77260a985080478a8ffaa--

Fwd: ODBC MySQL Password as plain text

am 19.11.2009 12:46:05 von Tompkins Neil

--001485f723a47efa440478b7e73f
Content-Type: text/plain; charset=ISO-8859-1

Following my previous email. I've now configured my database connection
using a ODBC DNSLESS SSL connection. However the problem still remains, the
password is stored in the ASP file in plain text. Does anyone have any
recommendations on how to overcome this issue ?

Cheers
Neil
---------- Forwarded message ----------
From: Tompkins Neil
Date: Wed, Nov 18, 2009 at 5:59 PM
Subject: ODBC MySQL Password as plain text
To: "[MySQL]"

Hi

The MySQL ODBC connection password is stored as plain text in the Windows
registry. What is the best way to overcome this issue - to ensure the
password is saved securely

Thanks,
Neil

--001485f723a47efa440478b7e73f--

Re: Fwd: ODBC MySQL Password as plain text

am 19.11.2009 13:40:15 von Jay Ess

Tompkins Neil wrote:
> Following my previous email. I've now configured my database connection
> using a ODBC DNSLESS SSL connection. However the problem still remains, the
> password is stored in the ASP file in plain text. Does anyone have any
> recommendations on how to overcome this issue ?
>
Secure the access to the ASP-source file.
You *could* encrypt it but then you have to store the key for it
somewhere the ASP can access and ..... Catch 22.

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=gcdmg-mysql-2@m.gmane.org

Re: Fwd: ODBC MySQL Password as plain text

am 19.11.2009 13:44:47 von Tompkins Neil

--001485f19f127048560478b8b902
Content-Type: text/plain; charset=ISO-8859-1

Hi Jay,

This was my thought. Maybe encrypt the pasword in the DNSless connection
and have a key somewhere within a external file. However if someone found
the key in this file they could still access it. Any other thoughts on how
to overcome this ?

Cheers
Neil

On Thu, Nov 19, 2009 at 12:40 PM, Jay Ess wrote:

> Tompkins Neil wrote:
>
>> Following my previous email. I've now configured my database connection
>> using a ODBC DNSLESS SSL connection. However the problem still remains,
>> the
>> password is stored in the ASP file in plain text. Does anyone have any
>> recommendations on how to overcome this issue ?
>>
>>
> Secure the access to the ASP-source file.
> You *could* encrypt it but then you have to store the key for it somewhere
> the ASP can access and ..... Catch 22.
>
>
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:
> http://lists.mysql.com/mysql?unsub=neil.tompkins@googlemail. com
>
>

--001485f19f127048560478b8b902--

Re: Fwd: ODBC MySQL Password as plain text

am 20.11.2009 11:47:54 von Tompkins Neil

--001485f6c578502ed50478cb3541
Content-Type: text/plain; charset=ISO-8859-1

I wondered if anyone else had any thoughts on this issue ?

Cheers
Neil

On Thu, Nov 19, 2009 at 12:40 PM, Jay Ess wrote:

> Tompkins Neil wrote:
>
>> Following my previous email. I've now configured my database connection
>> using a ODBC DNSLESS SSL connection. However the problem still remains,
>> the
>> password is stored in the ASP file in plain text. Does anyone have any
>> recommendations on how to overcome this issue ?
>>
>>
> Secure the access to the ASP-source file.
> You *could* encrypt it but then you have to store the key for it somewhere
> the ASP can access and ..... Catch 22.
>
>
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:
> http://lists.mysql.com/mysql?unsub=neil.tompkins@googlemail. com
>
>

--001485f6c578502ed50478cb3541--

Re: Fwd: ODBC MySQL Password as plain text

am 20.11.2009 11:47:54 von Tompkins Neil

Re: Fwd: ODBC MySQL Password as plain text

am 20.11.2009 16:30:58 von Tompkins Neil

--00163649a33595bff80478cf296d
Content-Type: text/plain; charset=ISO-8859-1

Don

Thanks for your response. The issue I have is that the password for our
database is stored either in the ODBC registry or within our ASP page as
plain text. One option I have is to encrypt the password in the database
connnection string and have a function with a key in a external file that
can unlock it.

The problem remains though - that if the web server is hacked, the hacker
can still navigation there way to the file containing the key to unlock the
password.

Does that make any sense ?

Cheers
Neil

On Fri, Nov 20, 2009 at 3:18 PM, Don Cohen wrote:

> Tompkins Neil writes:
> > I wondered if anyone else had any thoughts on this issue ?
> > >> Following my previous email. I've now configured my database
> connection
> > >> using a ODBC DNSLESS SSL connection. However the problem still
> remains,
> I'm not sure what dnsless means (that you allow only certain ip
> addresses?) or what difference it makes.
>
> > >> the
> > >> password is stored in the ASP file in plain text. Does anyone have
> any
> > >> recommendations on how to overcome this issue ?
> Is the issue that you're worried that your web server will serve the
> contents of the asp file? And I gather that you want the file to
> access the DB without the user having to supply a password.
> I'll just guess that asp files are similar to php files.
> One thing you could do is have that file read the password from
> another file that is in some place where the web server does not look.
>
> > > Secure the access to the ASP-source file.
> > > You *could* encrypt it but then you have to store the key for it
> somewhere
> > > the ASP can access and ..... Catch 22.
>

--00163649a33595bff80478cf296d--