ODBC MySQL Password as plain text

Following my previous email. I've now configured my database connection
using a ODBC DNSLESS SSL connection. However the problem still remains, the
password is stored in the ASP file in plain text. Does anyone have any
recommendations on how to overcome this issue ?

Cheers
Neil
---------- Forwarded message ----------
From: Tompkins Neil <***@googlemail.com>
Date: Wed, Nov 18, 2009 at 5:59 PM
Subject: ODBC MySQL Password as plain text
To: "[MySQL]" <***@lists.mysql.com>

Hi

The MySQL ODBC connection password is stored as plain text in the Windows
registry. What is the best way to overcome this issue - to ensure the
password is saved securely

Thanks,
Neil

Jay Ess

2009-11-19 12:40:15 UTC

Post by Tompkins Neil
Following my previous email. I've now configured my database connection
using a ODBC DNSLESS SSL connection. However the problem still remains, the
password is stored in the ASP file in plain text. Does anyone have any
recommendations on how to overcome this issue ?

Secure the access to the ASP-source file.
You *could* encrypt it but then you have to store the key for it
somewhere the ASP can access and ..... Catch 22.

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=gcdmg-mysql-***@m.gmane.org

Tompkins Neil

2009-11-19 12:44:47 UTC

Hi Jay,

This was my thought. Maybe encrypt the pasword in the DNSless connection
and have a key somewhere within a external file. However if someone found
the key in this file they could still access it. Any other thoughts on how
to overcome this ?

Cheers
Neil

Secure the access to the ASP-source file.
You *could* encrypt it but then you have to store the key for it somewhere
the ASP can access and ..... Catch 22.
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql

Tompkins Neil

2009-11-20 10:47:54 UTC

I wondered if anyone else had any thoughts on this issue ?

Cheers
Neil

Tompkins Neil

2009-11-20 15:30:58 UTC

Don

Thanks for your response. The issue I have is that the password for our
database is stored either in the ODBC registry or within our ASP page as
plain text. One option I have is to encrypt the password in the database
connnection string and have a function with a key in a external file that
can unlock it.

The problem remains though - that if the web server is hacked, the hacker
can still navigation there way to the file containing the key to unlock the
password.

Does that make any sense ?

Cheers
Neil

Post by Tompkins Neil
I wondered if anyone else had any thoughts on this issue ?

Post by Tompkins Neil
Following my previous email. I've now configured my database

connection

Post by Tompkins Neil
using a ODBC DNSLESS SSL connection. However the problem still

remains,
I'm not sure what dnsless means (that you allow only certain ip
addresses?) or what difference it makes.

Post by Tompkins Neil
the
password is stored in the ASP file in plain text. Does anyone have

any

Post by Tompkins Neil
recommendations on how to overcome this issue ?

Is the issue that you're worried that your web server will serve the
contents of the asp file? And I gather that you want the file to
access the DB without the user having to supply a password.
I'll just guess that asp files are similar to php files.
One thing you could do is have that file read the password from
another file that is in some place where the web server does not look.

Post by Jay Ess
Secure the access to the ASP-source file.
You *could* encrypt it but then you have to store the key for it

somewhere