distal-attribute
distal-attribute
distal-attribute
distal-attribute

Passwords easily discovered in Session Manager

makkynz posted 1 year ago in General
Changing a connection's settings (including passwords) in the session manager makes the save button enabled or disabled.

Now If I try to guess the password (i.e type over the masked password field), I can tell when i have guessed it right because the save button becomes enabled. This seems like a significant security hole.
makkynz posted 1 year ago
sorry I mean't "...because the save button becomes disabled."
ansgar posted 1 year ago
Alone the fact that you know your guess was right is not a security hole. The same would happen if you guess and just try to connect.
makkynz posted 1 year ago
but you can monitor failed connection attempts and apply whatever security strategy you want around it.
ansgar posted 1 year ago
Yes, that's right. Well... I'm still not thinking we have a security hole here. It's a conveniance feature, and you still have to guess what you already put into the password field before. You could also say the encryption HeidiSQL uses for storing passwords in registry is too weak.

makkynz posted 1 year ago
ok cool. I suppose it is kind of like splitting hairs.
ansgar posted 1 year ago
Hoping you're not talking ironically now :)

Please login to leave a reply, or register at first.