db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luan O'Carroll <lu...@xoetrope.com>
Subject Re: Users authentication - design problem
Date Thu, 31 May 2007 09:13:01 GMT
I'm doing something similar with a business application.

There's nothing stopping the user "accidentally" deleting the data on 
the local machine either. If the password is held in the software then 
it is insecure and can be easily cracked.

It would be better to store the data on a server and do an extract or 
replicate to the local database, that way any loss of local data may not 
be so disastrous.

At least the password could be stored on the server for later recovery 
if necessary. Preferrably the password should not be stored anywhere on 
the local machine


David Van Couvering wrote:
> What happens if a user accidentally deletes the password file that you
> stored on their machine, or if there is a disk crash and the password
> file is lost?  Since you don't have any other copy of the
> user/password, this means the data in the database is lost, something
> that your users may not appreciate :)
> Can't you accomplish the same goal by having a boot password (used
> when you open the encrypted database) embedded in your application
> code?  I'm not a security expert, and I don't know if it's possible to
> somehow 'extract' a password from a process in memory.  For extra
> security, you could update the password from time to time as part of
> an application upgrade...
> David
> On 5/30/07, Stanley Styszynski <diabeteo@gmail.com> wrote:
>> Hello,
>> My name is Stanley and I'm working on application which will offer
>> opportunity to simulate the effects of changes in insulin and diet on 
>> the
>> blood glucose profile of a diabetic patient. It will be a multiuser, 
>> desktop
>> application with Apache Derby inside.
>> I would not like to grant any of the users the administrative 
>> privileges.
>> Every user (added using special form in my application) should be 
>> equal. No
>> one should be able to see or modify other users results or database
>> settings. I plan to dynamically create a root user (when my 
>> application will
>> be launched for the first time). Root's user name and password will be
>> created dynamically (current time multiplied by random value and 
>> SHA-256).
>> This data will be stored in separate text file(encrypted) and it's 
>> content
>> will be read by the application to enable adding new users. I plan to
>> encrypt a database so only my application will be able to boot it.
>> Then, application itself, will be controlling access to the propriate 
>> pieces
>> of data. It should be easy when we take into account that my 
>> application is
>> using built-in driver (no network connection at all, database is 
>> integrated
>> with application).
>> Is this solution good? Maybe there are others who encountered such a
>> "problem" and could share their knowledge?
>> Regards,
>> Stanley

View raw message