Would be great, if dbeaver could use the secure-Storage of eclipse to save password, instead a File named data-sources.xml.
If not possible, would be good, if the file could named like a hidden file with a trailing .data-sources.xml
Use Secure-Storrage off eclipse
6 posts
• Page 1 of 1
Use Secure-Storrage off eclipse
by rethus » Tue Jan 22, 2013 3:26 pm
- rethus
- Posts: 38
- Joined: Tue Jan 22, 2013 2:48 pm
Re: Use Secure-Storrage off eclipse
by Serge » Tue Jan 22, 2013 5:24 pm
Hi,
Looks like a good idea. Generally it is possible, I'll check for any potential problems in standalone version and probably we'll use secure storage in one of next versions.
Thanks.
Looks like a good idea. Generally it is possible, I'll check for any potential problems in standalone version and probably we'll use secure storage in one of next versions.
Thanks.
- Serge
- Posts: 1526
- Joined: Sat Feb 26, 2011 8:24 pm
- Location: SPb
Re: Use Secure-Storrage off eclipse
by negora » Thu Oct 24, 2013 12:09 pm
I'm sorry for recovering an old thread. I also believe that having a secure key storage is a very interesting feature. I just wanted to show my support 
.
Thank you!
.Thank you!
- negora
- Posts: 7
- Joined: Thu Oct 24, 2013 7:26 am
Re: Use Secure-Storrage off eclipse
by Serge » Thu Oct 24, 2013 2:41 pm
Hi,
This feature is still not implemented due to a few problems.
1. Eclipse secure storage framework is OS-dependent and won't work on some systems
2. Secure storage is almost useless in case of standalone RCP applications
Implementing it in plugin mode is also quite tricky. Secure storage maybe unavailable or broken in particular Eclipse installations.
Generally this feature may seriously complicate authentication UI and as a result may cause more harm than good for end-users.
Maybe I'm missing something but it looks like currently Eclipse secure storage is applicable only for Eclipse IDE. At least I failed to find any working sample of RCP applications using it.
This feature is still not implemented due to a few problems.
1. Eclipse secure storage framework is OS-dependent and won't work on some systems
2. Secure storage is almost useless in case of standalone RCP applications
Implementing it in plugin mode is also quite tricky. Secure storage maybe unavailable or broken in particular Eclipse installations.
Generally this feature may seriously complicate authentication UI and as a result may cause more harm than good for end-users.
Maybe I'm missing something but it looks like currently Eclipse secure storage is applicable only for Eclipse IDE. At least I failed to find any working sample of RCP applications using it.
- Serge
- Posts: 1526
- Joined: Sat Feb 26, 2011 8:24 pm
- Location: SPb
Re: Use Secure-Storrage off eclipse
by negora » Thu Oct 24, 2013 3:26 pm
Ops, I thought that it was an easier task. But if it's going to cause instability, I agree that it's better to leave it as is.
About the current storage method, What kind of algorithm does DBeaver use to hash the passwords? I've checked the file ~/.dbeaver/DBeaver/data-sources.xml and have seen some encrypted password. Could it be possible to store every password or at least the passwords of every data source with an exclusive salt? This salt could be stored in the same file. It's just to make massive brute force attacks more complicated. Also a slow algorithm such as PBKDF2 would help a lot in this task. I've no idea if you're already using this one.
Thank you.
About the current storage method, What kind of algorithm does DBeaver use to hash the passwords? I've checked the file ~/.dbeaver/DBeaver/data-sources.xml and have seen some encrypted password. Could it be possible to store every password or at least the passwords of every data source with an exclusive salt? This salt could be stored in the same file. It's just to make massive brute force attacks more complicated. Also a slow algorithm such as PBKDF2 would help a lot in this task. I've no idea if you're already using this one.
Thank you.
- negora
- Posts: 7
- Joined: Thu Oct 24, 2013 7:26 am
Re: Use Secure-Storrage off eclipse
by Serge » Wed Jan 22, 2014 12:46 pm
DBeaver uses custom algorithm to encode passwords. A time ago we have used java crypto and DES scheme. But in fact all this doesn't make much sense. As DBeaver is open source anybody can study sources and easily write a password decoder.
And there is no way to protect password better. The only solution is to use secure storage with master-password.
I'll try to integrate with Eclipse secure-storage one more time, maybe something was changed in 4.3..
Thanks for raising up this (very important in some cases) issue.
And there is no way to protect password better. The only solution is to use secure storage with master-password.
I'll try to integrate with Eclipse secure-storage one more time, maybe something was changed in 4.3..
Thanks for raising up this (very important in some cases) issue.
- Serge
- Posts: 1526
- Joined: Sat Feb 26, 2011 8:24 pm
- Location: SPb
6 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 13 guests