Passwords easily discovered in Session Manager

5 posts
[expired user #7035]'s profile image [expired user #7035] posted 11 years ago in General Permalink
Changing a connection's settings (including passwords) in the session manager makes the save button enabled or disabled.

Now If I try to guess the password (i.e type over the masked password field), I can tell when i have guessed it right because the save button becomes enabled. This seems like a significant security hole.
5 posts
[expired user #7035]'s profile image [expired user #7035] posted 11 years ago Permalink
sorry I mean't "...because the save button becomes disabled."
10151 posts
ansgar's profile image ansgar posted 11 years ago Permalink
Alone the fact that you know your guess was right is not a security hole. The same would happen if you guess and just try to connect.
5 posts
[expired user #7035]'s profile image [expired user #7035] posted 11 years ago Permalink
but you can monitor failed connection attempts and apply whatever security strategy you want around it.
10151 posts
ansgar's profile image ansgar posted 11 years ago Permalink
Yes, that's right. Well... I'm still not thinking we have a security hole here. It's a conveniance feature, and you still have to guess what you already put into the password field before. You could also say the encryption HeidiSQL uses for storing passwords in registry is too weak.
5 posts
[expired user #7035]'s profile image [expired user #7035] posted 11 years ago Permalink
ok cool. I suppose it is kind of like splitting hairs.
10151 posts
ansgar's profile image ansgar posted 11 years ago Permalink
Hoping you're not talking ironically now :)

Please login to leave a reply, or register at first.