tags:

views:

181

answers:

2
+3  Q: 

How to effectively save database password in desktop application?

I'm making desktop application (lets call it app) which uses database (mysql). More app's users share one database user. Example : John and Mike app users connect to DB as "dbuser", etc.

The problem is : How do I effectively save passwords for DB users? (app users's pwds are stored in DB).

Possible solutions I found : 1. in the code - this is actually pretty stupid :D 2. in the text INI file - easy to read! 3. encrypted in extern file - good, but need access to app.

+1  A: 

You can store it in the INI file in the encrypted format. That is best way IMHO. I stores connection string in the App.config of .NET application in the encrypted format.

EDIT:

To edit connection string, I use another configuration value in AppSettings of App.Config file CSEncryption="Y|N|R"

if it is Y, connection string is encrypted, decrypt and use it.

if it is N, connection string is not encrypted, use it directly.

if it is R, connection string is not encrypted, encrypt it and update connection string and set CSEncryption to 'Y' in App.Config.

Morbia  2010-01-28 14:52:26
and how do you then edit encrypted file? when etc. migrating on another DB hostname?
Michal  2010-01-28 14:57:14
on top of that you should always use a secure channel (SSL) to communicate to the server, else with a little effort anyone can sniff some packets and find out the password
rsilva  2010-01-28 15:01:25
+1 to rsilva. If the database is accessible over a network, it is a good idea to use SSL to communicate with it
bodom_lx  2010-01-28 15:11:50
And if you are going to go through all of that trouble, ensure the database user has the least amount of privileges to get the job done.
Brettski  2010-01-28 15:16:31
Brettski - thanx, I handled that :) I'll give a try with SSL also.
Michal  2010-01-28 15:24:41
Please try look upper to example I have to bodom_lx
Michal  2010-01-28 15:28:18
+1  A: 

(app users's pwds are stored in DB).

Encrypt stored passwords using SHA1/SHA2 algorithm. This is the most used technique. I'm not a .NET developer but I'm pretty sure that they provide the function somewhere.

When user logs in, encrypt again the given password and compare it to the stored one. If they are equal, let the user log in.

bodom_lx  2010-01-28 14:58:42
how do you edit then?
Michal  2010-01-28 15:02:04
You just overwrite them. See for example any dynamic website: if you want to change your password, you must provide the old one and then write the new one. The system encrypts the given old one password, checks if this is equal to the password actually stored, then encrypts the new password and overwrites the password stored.
bodom_lx  2010-01-28 15:08:13
I see. Okay I give you example.I decide to change location (IP) of DB server which my APP uses. I should do it thru app GUI or just "manually" edit some extern file from app loads data?
Michal  2010-01-28 15:19:25
If you're using a very nice and easy configuration file, I think that you could let the user edit that file manually. If App is aimed to very unexperienced users, it should be better to have this job done by App's GUI, through a Preferences window
bodom_lx  2010-01-28 15:29:38
I agree that database IP should be only somewhere in fileAlso db users, but encrypted (in extern file)
Michal  2010-01-28 15:32:50
give also a try to SQLite (http://sqlite.org). It is a very easy and tiny database system in form of a library. I guess it is also packaged with .NET framework. You could store any setting preference in any table, as well as encrypted passwords. The database is a single file within your project directory
bodom_lx  2010-01-28 15:36:34
Sounds good, but It is already quite ... ehm ... big database (I use MySQL). The point is, it needs to be online, but I'll also look to SQLite as you suggest.OH and I dont use .NET, but Java ;)
Michal  2010-01-28 15:43:28
Hem, I don't know why I was completely convinced that you were using .net :) Nobody will blame you if you use sqlite for internal details such as application configuration, user name etc, and keep using Mysql for the rest. Sqlite is not an external database server, everything stays inside your application. Also db4o (http://db4o.com) is a very nice tool for Java that does the same job as sqlite, but is an object-oriented database
bodom_lx  2010-01-28 16:03:56
well I need external DB server, but SQLite sounds perferct for saving inernal data. But isnt it actually quite luxoury? :) When I text file is enough? :D
Michal  2010-01-28 16:10:47
This depends on the quantity and the quality of the information you want to be stored in. A text file is a good idea when you have few information, but you must pay attention for things such as updating fields or appending new lines. A tiny database automatically nadles concerns such these, obviously
bodom_lx  2010-01-28 16:16:55

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL