distal-attribute
distal-attribute
distal-attribute
distal-attribute

Passwords easily discovered in Session Manager

User, date Message
Written by makkynz
1 year ago
Category: General
5 posts since Wed, 26 Jun 13
Changing a connection's settings (including passwords) in the session manager makes the save button enabled or disabled.

Now If I try to guess the password (i.e type over the masked password field), I can tell when i have guessed it right because the save button becomes enabled. This seems like a significant security hole.
Written by makkynz
1 year ago
5 posts since Wed, 26 Jun 13
sorry I mean't "...because the save button becomes disabled."
Written by ansgar
1 year ago
5051 posts since Fri, 07 Apr 06
Alone the fact that you know your guess was right is not a security hole. The same would happen if you guess and just try to connect.
Written by makkynz
1 year ago
5 posts since Wed, 26 Jun 13
but you can monitor failed connection attempts and apply whatever security strategy you want around it.
Written by ansgar
1 year ago
5051 posts since Fri, 07 Apr 06
Yes, that's right. Well... I'm still not thinking we have a security hole here. It's a conveniance feature, and you still have to guess what you already put into the password field before. You could also say the encryption HeidiSQL uses for storing passwords in registry is too weak.
Written by makkynz
1 year ago
5 posts since Wed, 26 Jun 13
ok cool. I suppose it is kind of like splitting hairs.
Written by ansgar
1 year ago
5051 posts since Fri, 07 Apr 06
Hoping you're not talking ironically now :)
 

Please login to leave a reply, or register at first.