db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Van Couvering" <da...@vancouvering.com>
Subject Re: Users authentication - design problem
Date Wed, 30 May 2007 23:05:43 GMT
What happens if a user accidentally deletes the password file that you
stored on their machine, or if there is a disk crash and the password
file is lost?  Since you don't have any other copy of the
user/password, this means the data in the database is lost, something
that your users may not appreciate :)

Can't you accomplish the same goal by having a boot password (used
when you open the encrypted database) embedded in your application
code?  I'm not a security expert, and I don't know if it's possible to
somehow 'extract' a password from a process in memory.  For extra
security, you could update the password from time to time as part of
an application upgrade...


On 5/30/07, Stanley Styszynski <diabeteo@gmail.com> wrote:
> Hello,
> My name is Stanley and I'm working on application which will offer
> opportunity to simulate the effects of changes in insulin and diet on the
> blood glucose profile of a diabetic patient. It will be a multiuser, desktop
> application with Apache Derby inside.
> I would not like to grant any of the users the administrative privileges.
> Every user (added using special form in my application) should be equal. No
> one should be able to see or modify other users results or database
> settings. I plan to dynamically create a root user (when my application will
> be launched for the first time). Root's user name and password will be
> created dynamically (current time multiplied by random value and SHA-256).
> This data will be stored in separate text file(encrypted) and it's content
> will be read by the application to enable adding new users. I plan to
> encrypt a database so only my application will be able to boot it.
> Then, application itself, will be controlling access to the propriate pieces
> of data. It should be easy when we take into account that my application is
> using built-in driver (no network connection at all, database is integrated
> with application).
> Is this solution good? Maybe there are others who encountered such a
> "problem" and could share their knowledge?
> Regards,
> Stanley

View raw message