| Subject | Re: [firebird-support] Guys! I got it! - Re: Avoiding hard-coding db pass in app - without using db users |
|---|---|
| Author | Kjell Rilbe |
| Post date | 2008-11-11T19:56:34Z |
Teträm Corp wrote:
The hacker can execute as much as he likes, but he won't get the
password back unless he provides a valid username/password combo as input.
Sure, he can brute-force his way in, but I think such attacks can be
prevented by other means, like e.g. blocking client IP:s that fail too
many times in a row.
Kjell
--
--------------------------------------
Kjell Rilbe
DataDIA AB
E-post: kjell@...
Telefon: 08-761 06 55
Mobil: 0733-44 24 64
> and when your hacker has the SECUSER password, do you think he will stopThierry,
> there thinking "what a mess, a limited account!!!" and not try something
> like EXECUTE PROCEDURE (or select from procedure if you want) ???
> and so retreive the SYSDBALIKE password (and now the login)...
>
> I continue, if hardcoding the SECUSER password seems enough, why not
> SYSDBALIKE one ? or, if you prefer, if hardcondig SYSDBALIKE password is
> not enough how could it be secure for SECUSER one which permit to get
> SYSDBALIKE one ?
The hacker can execute as much as he likes, but he won't get the
password back unless he provides a valid username/password combo as input.
Sure, he can brute-force his way in, but I think such attacks can be
prevented by other means, like e.g. blocking client IP:s that fail too
many times in a row.
Kjell
--
--------------------------------------
Kjell Rilbe
DataDIA AB
E-post: kjell@...
Telefon: 08-761 06 55
Mobil: 0733-44 24 64