1

I am on project team that is maintaining a few legacy VB6 applications. These applications are installed in over 600 customers worldwide mostly in the USA. These applications all connect to a database back end but the problem is that the SQL Login ID and password are hard coded inside of the application. With these projects we are using ODBC API to connect to the database.

What we would like to do is to provide a way for the users to set their own SQL Login ID password. We have thought of using Active Directory Authentication but we have dismissed this idea due to the fact that a user would be able to connect to the database using MS Access/Excel or Crystal Reports.

We are currently working on an idea where we would store the encrypted Login ID in either a INI file or in the registry but we are not liking these solutions at all. We are looking into using a Certificate but I think that we will have the same issue as with AD Authentication.

So please lets hear your ideas not matter how strange and outlandish they may be.

Improve this question
3
  • 1
    You haven't mentioned - why is your current implementation a problem? Is this app actually 'legacy', or is it actively being maintained? IOW, what's the reason for change? Commented Jul 21, 2011 at 23:47
  • Thanks for the reply, we are receiving more and more requests from our customers to allow them to change the database password. We are working on a newer web based applications that will eventually replace the legacy applications but there have been issues involving their development to date. What we have done in the past is to ask the customer what password they want to use and then hard code that password and create a special executable for them. This poses other issues (ie upgrades, etc). Commented Jul 21, 2011 at 23:58
  • @Mark, one app I support takes the username and password and puts it in a XML file with no obfuscation at all, much less encryption. Before I would expend a great deal of effort encrypting the password, I'd determine what risks are for a compromised password? Could those be mitigated by locking down the user account in the server sufficiently? Commented Jul 22, 2011 at 18:27

1 Answer 1

Reset to default
1

Why not store the user name and password in an ini file. Use a symmetrical key encryption (like AES) with salting and then base-64 encode the results. You can generate a true random key from Random.org. If you choose this route, I can provide some assistance.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

That's basicly what we do here but using RC4 instead of AES (the function is 25 lines of VB code) and hex dump instead of base64 (why bother, shorter to implement again).
Ok, the more and more I read about this the more I am being lead to this solution. Andrew, I would be very interested in seeing what type of solution you may have used in hte past.
@wqw, True, a hex dump is faster. Didn't think about that one. RC4, according to Wikipedia, has been compromised. I doubt many end-users are that likely to hack the username and password IF they even figure out the encryption method, but just FYI.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.