db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Francois Orsini" <francois.ors...@gmail.com>
Subject Re: Users authentication - design problem
Date Thu, 31 May 2007 22:39:15 GMT
On 5/31/07, Luan O'Carroll <luano@xoetrope.com> wrote:
>
> I'm doing something similar with a business application.
>
> There's nothing stopping the user "accidentally" deleting the data on
> the local machine either. If the password is held in the software then
> it is insecure and can be easily cracked.
>
> It would be better to store the data on a server and do an extract or
> replicate to the local database, that way any loss of local data may not
> be so disastrous.
>
> At least the password could be stored on the server for later recovery
> if necessary. Preferrably the password should not be stored anywhere on
> the local machine


Yes and that's why some applications are using Smart Cards (aka Java Cards)
to store user credentials amongst other data -  Maybe the original  poster
should think about doing this - This is becoming more & more common,
especially with healthcare applications where data access is pretty
sensitive, especially when moved outside of a (central) server...

-Luan
>
> David Van Couvering wrote:
> > What happens if a user accidentally deletes the password file that you
> > stored on their machine, or if there is a disk crash and the password
> > file is lost?  Since you don't have any other copy of the
> > user/password, this means the data in the database is lost, something
> > that your users may not appreciate :)
> >
> > Can't you accomplish the same goal by having a boot password (used
> > when you open the encrypted database) embedded in your application
> > code?  I'm not a security expert, and I don't know if it's possible to
> > somehow 'extract' a password from a process in memory.  For extra
> > security, you could update the password from time to time as part of
> > an application upgrade...
> >
> > David
> >
> > On 5/30/07, Stanley Styszynski <diabeteo@gmail.com> wrote:
> >> Hello,
> >>
> >> My name is Stanley and I'm working on application which will offer
> >> opportunity to simulate the effects of changes in insulin and diet on
> >> the
> >> blood glucose profile of a diabetic patient. It will be a multiuser,
> >> desktop
> >> application with Apache Derby inside.
> >>
> >> I would not like to grant any of the users the administrative
> >> privileges.
> >> Every user (added using special form in my application) should be
> >> equal. No
> >> one should be able to see or modify other users results or database
> >> settings. I plan to dynamically create a root user (when my
> >> application will
> >> be launched for the first time). Root's user name and password will be
> >> created dynamically (current time multiplied by random value and
> >> SHA-256).
> >> This data will be stored in separate text file(encrypted) and it's
> >> content
> >> will be read by the application to enable adding new users. I plan to
> >> encrypt a database so only my application will be able to boot it.
> >> Then, application itself, will be controlling access to the propriate
> >> pieces
> >> of data. It should be easy when we take into account that my
> >> application is
> >> using built-in driver (no network connection at all, database is
> >> integrated
> >> with application).
> >>
> >> Is this solution good? Maybe there are others who encountered such a
> >> "problem" and could share their knowledge?
> >>
> >> Regards,
> >>
> >> Stanley
> >>
> >>
> >
> >
>
>

Mime
View raw message