Use Secure-Storrage off eclipse

Feature requests and their debate

Use Secure-Storrage off eclipse

Postby rethus » Tue Jan 22, 2013 3:26 pm

Would be great, if dbeaver could use the secure-Storage of eclipse to save password, instead a File named data-sources.xml.

If not possible, would be good, if the file could named like a hidden file with a trailing .data-sources.xml
rethus
 
Posts: 38
Joined: Tue Jan 22, 2013 2:48 pm

Re: Use Secure-Storrage off eclipse

Postby Serge » Tue Jan 22, 2013 5:24 pm

Hi,

Looks like a good idea. Generally it is possible, I'll check for any potential problems in standalone version and probably we'll use secure storage in one of next versions.

Thanks.
Serge
 
Posts: 1526
Joined: Sat Feb 26, 2011 8:24 pm
Location: SPb

Re: Use Secure-Storrage off eclipse

Postby negora » Thu Oct 24, 2013 12:09 pm

I'm sorry for recovering an old thread. I also believe that having a secure key storage is a very interesting feature. I just wanted to show my support ;) .

Thank you!
negora
 
Posts: 7
Joined: Thu Oct 24, 2013 7:26 am

Re: Use Secure-Storrage off eclipse

Postby Serge » Thu Oct 24, 2013 2:41 pm

Hi,

This feature is still not implemented due to a few problems.
1. Eclipse secure storage framework is OS-dependent and won't work on some systems
2. Secure storage is almost useless in case of standalone RCP applications

Implementing it in plugin mode is also quite tricky. Secure storage maybe unavailable or broken in particular Eclipse installations.
Generally this feature may seriously complicate authentication UI and as a result may cause more harm than good for end-users.

Maybe I'm missing something but it looks like currently Eclipse secure storage is applicable only for Eclipse IDE. At least I failed to find any working sample of RCP applications using it.
Serge
 
Posts: 1526
Joined: Sat Feb 26, 2011 8:24 pm
Location: SPb

Re: Use Secure-Storrage off eclipse

Postby negora » Thu Oct 24, 2013 3:26 pm

Ops, I thought that it was an easier task. But if it's going to cause instability, I agree that it's better to leave it as is.

About the current storage method, What kind of algorithm does DBeaver use to hash the passwords? I've checked the file ~/.dbeaver/DBeaver/data-sources.xml and have seen some encrypted password. Could it be possible to store every password or at least the passwords of every data source with an exclusive salt? This salt could be stored in the same file. It's just to make massive brute force attacks more complicated. Also a slow algorithm such as PBKDF2 would help a lot in this task. I've no idea if you're already using this one.

Thank you.
negora
 
Posts: 7
Joined: Thu Oct 24, 2013 7:26 am

Re: Use Secure-Storrage off eclipse

Postby Serge » Wed Jan 22, 2014 12:46 pm

DBeaver uses custom algorithm to encode passwords. A time ago we have used java crypto and DES scheme. But in fact all this doesn't make much sense. As DBeaver is open source anybody can study sources and easily write a password decoder.
And there is no way to protect password better. The only solution is to use secure storage with master-password.

I'll try to integrate with Eclipse secure-storage one more time, maybe something was changed in 4.3..

Thanks for raising up this (very important in some cases) issue.
Serge
 
Posts: 1526
Joined: Sat Feb 26, 2011 8:24 pm
Location: SPb


Return to Feature Requests



Who is online

Users browsing this forum: No registered users and 10 guests