| Subject | Re: [ib-support] fb 8-letter password bug |
|---|---|
| Author | Paul Schmidt |
| Post date | 2002-01-04T17:48:28Z |
On 4 Jan 2002, at 18:46, David K. Trudgett wrote:
users probably would use 1 or 2 characters if they could get away
with it. There are a number of "better" things that could be done
with passwords then make them longer. Here are some examples:
Personally I think that security should be moved from the engine to
an external library so that different installations can do different
things. Here is the idea for firebird, a function is developed:
int fb_authenticate (char *username, char *password, char
*db_conn)
the engine calls this function, if it gets back a positive value, then
that value is the userid, which it can use for a user identifier. If it
gets back a negative value, then it's an error. A set of pre-defined
error codes for the authenticator would be defined in ibase.h
The engine as supplied comes with a shared library which contains
a version of fb_authenticate that works like the current
authenticator modified to work as above. However a sys-admin
who is C savvy could write his/her own version of fb_authenticate
that uses another method.
Now db_conn is a pointer connection to the database to use for
security. This is based on a flag inside the database you are
authenticating against that states whether security is internal to it,
or external to the installation.
Another reason for outboard security, if Borland does something
different, someone could write a library to do it the Borland way,
and also people who write authenticators could post them for
download.
Too late for FB 1 but maybe we could consider something better for
the next version. If the moderator wishes, I will post this on
ib_piorities as it's really OT here.
Paul
Paul Schmidt
Tricat Technologies
paul@...
www.tricattechnologies.com
> Of course, eight characters is nowhere near an acceptable limit theseEight Characters is probably OK in most cases, in fact most end
> days, as an ordinary PC can brute force that space in fairly short
> order. Because of this, an eight character limit on passwords can
> easily be considered a bug in the broad sense, even though it is the
> designed behaviour. It should really go onto the list of future
> enhancements, if it's not there already.
users probably would use 1 or 2 characters if they could get away
with it. There are a number of "better" things that could be done
with passwords then make them longer. Here are some examples:
Personally I think that security should be moved from the engine to
an external library so that different installations can do different
things. Here is the idea for firebird, a function is developed:
int fb_authenticate (char *username, char *password, char
*db_conn)
the engine calls this function, if it gets back a positive value, then
that value is the userid, which it can use for a user identifier. If it
gets back a negative value, then it's an error. A set of pre-defined
error codes for the authenticator would be defined in ibase.h
The engine as supplied comes with a shared library which contains
a version of fb_authenticate that works like the current
authenticator modified to work as above. However a sys-admin
who is C savvy could write his/her own version of fb_authenticate
that uses another method.
Now db_conn is a pointer connection to the database to use for
security. This is based on a flag inside the database you are
authenticating against that states whether security is internal to it,
or external to the installation.
Another reason for outboard security, if Borland does something
different, someone could write a library to do it the Borland way,
and also people who write authenticators could post them for
download.
Too late for FB 1 but maybe we could consider something better for
the next version. If the moderator wishes, I will post this on
ib_piorities as it's really OT here.
Paul
Paul Schmidt
Tricat Technologies
paul@...
www.tricattechnologies.com