ToadStudio passwords in settings file, security concern_问答_开发者

ToadStudio passwords in settings file, security concern

开发者 https://www.devze.com 2023-03-15 04:45 出处：网络

I need to share a connections setting file for ToadStudio SQLeditor. I do have some concerns about the passwords that are stored in the settings file.

I need to share a connections setting file for ToadStudio SQLeditor.

I do have some concerns about the passwords that are stored in the settings file.

The file currently looks like this:

<ToadStudio>
  <FileVersion Encryption="3Des">3</FileVersion>
  <ConnectionHierarchy>
    <DbPlatform name="MySQL">
      <Path />
      <Connections>
        <Connection type="MySQL" autoCommit="True">
          <Path>MySQL</Path>
          <AutoConnect>False</AutoConnect>
          <Database>db</Database>
          <开发者_高级运维Host>localhost</Host>
          <User>dbuser</User>
          <Password>EF9ED08748C745FC</Password>
          <WinAuth>False</WinAuth>
          <LastConnectionDate>0001-01-01T00:00:00.0000000</LastConnectionDate>
          <Options>
            <Protocol type="SSH" />
            <SSH host="127.0.0.1" user="sshuser" password="744F3C66F88E084B" />
          </Options>
        </Connection>
      </Connections>
      <Groups />
    </DbPlatform>
  </ConnectionHierarchy>
</ToadStudio>

It's meant to connect to a database via SSH tunnel.

So, the concern is the way that passwords are stored in this file. Looking at the first lines in the file, I assume that the passwords are being encrypted with triple DES.

In the above sample, the passwords are equal to the usernames (dbuser,sshuser)

Since I can share this file, any other instance of TOADStudio can decrypt it to the original plain text, so I can only guess that toadStudio uses a hard coded seed for encrypting stuff.

I'm not running state secrets in my server, but I'd like a bit of reassurance that it will not be trivially easy for someone to obtain the password plaintext based on these setting files.

Any insight would be appreciated.

That does look like 3DES to me, which is honestly more security than your average app uses - look into how VNC stores its passwords some day, very scary.

In any case, it definitely sounds like you're on the right track. Have you actually tested that sharing this file allows other TOAD users to connect using your stored info? If so then it probably would be fairly easy (though not trivially so) for someone to get at those passwords. That said, 3DES isn't really adequate these days and is fairly breakable, but if someone has sufficient access to your machine to steal that file, they could just as easily keylog you, install backdoors or all kinds of other things. From a security standpoint, if the attacker has sufficient access to get at that file, it's probably game over anyway.