SSH Tunnel password security concern

SugarGlider posted 6 months ago in General

Hello, been a fan of HeidiSQL for a while. Great app.

I recently started using SSH tunnels for accessing servers and came across a concern in another developer forum over how passwords are being stored. Doing some research on my own, it very quickly became apparent that the passwords are trivially easy to decode. I say "decode" because they're not actually encrypted. I have reviewed the source in helpers.pas and I would like to make a humble suggestion on how to implement much better security without creating too much additional work on the part of the developer.

First, utilize existing encryption libraries that support both bcrypt and AES encryption. These libraries are based off of proven encryption techniques and will be far more secure that trying to roll your own. There are Delphi libraries for both methods that are freely available.

Second, using Bcrypt encryption, allow the user to create a master password for HeidiSQL, bcrypt it, and store the resulting value. This password should be used to access HeidiSQL on startup. For those not familiar with Bcrypt, it is a forward-only method of encryption, meaning that it cannot be decrypted. Use the master password as the salt for the rest of the passwords in the system. This will be far more effective than using rnd(9) as your salt. The master password should not be stored anywhere. When entered, it's Bcrypt-encrypted value should be compared to the stored Bcrypt value when the master password was first created.

Lastly, use AES encryption with the master password value (not its Bcrypted hash) as the private key to store the actual passwords. This encrypted value can only be decrypted if the correct master password is provided at login. And, again, since the master password is never stored anywhere, this keeps the application and the stored passwords protected.

I hope you find this suggestion helpful and keep up the great work.

Please login to leave a reply, or register at first.