Author Topic: Security issue !!!!! (Read 4523 times)

Martin Terreni · « **on:** January 13, 2008, 03:27:54 am »

Though I work on EA corporate edition for about a year now, I only just noticed that the passwords are visible in the "resent projects" dialog and data transfer dialog.
It means they are probably also not encrypted in the registry keys were they are saved.
This is a very serious issue that MUST be solved.
Please Sprx answer this one...

hd · « **Reply #1 on:** January 13, 2008, 01:07:07 pm »

Passwords can be encrypted for Oracle and SQL Server repositories.

For details, type Password Encryption into EA Help index.

Martin Terreni · « **Reply #2 on:** January 13, 2008, 09:28:34 pm »

This solution is complicated and it is something I surly can't ask almost a hundred designers to do. I find it hard to understand why it isn't encrypted by default ,or at list automaticaly when asking for it.
This is the way any normal application works. I never sow such a thing in any application that you must go to a menu supplying you with an encrypted password to copy paste to the actual password place.
This way of working is totaly useless and I chalenge you to find a company with more then 20 EA users wich applies it.
There is no way it can be used having lots of users!
It is a [size=18]VERY[/size] primitive solution and I'm surprised no one ever complaind about it.

Are you planning to change this solution eventualy? is there a time line for such change?

Martin Terreni · « **Reply #3 on:** January 14, 2008, 01:10:39 am »

I just figured out your encription, you [size=32]MUST[/size][/b] fix it in 7.1!!!!!!!!

Martin Terreni · « **Reply #4 on:** January 16, 2008, 09:40:27 pm »

Quote

Hello Martin,

We have delved into this a little deeper, and believe we have a satisfactory solution .

I don't know if you realize it, but you can save a shortcut to the project (File | Save Project As...),which shortcut stores the connection string, and is readable with a text editor.

We have added an option to the Save As dialog to encrypt the connection string with a stronger encryption algorithm. Here is a comparison of the resulting strings...

EAConnectString: ora10_ea --- DBType=3;Connect=Provider=OraOLEDB.Oracle.1;Password=sparx;Persist Security Info=True;User ID=ora10_ea;Data Source=ora10

EAConnectString: ora10_ea --- DBType=3;ConnectEx=+wkIE;B?e 52+H`"e?r-pb_ZyAI3a]Vsfh8p];Co\d/bnX$5<(;'US"^GxvbbRsK{*%AwL4y1{P<je.%R1?AY;y'!7pw$X%)_EwLXWpKg7tzLF=T

All you need to do is distribute this shortcut to all your users.

This feature has been included in version 7.1.

We hope this meets your requirements.

Not what I dreamed off, but it surly does the work.
Thanks for the fast solution.

Sparx Systems Forum

News: