December 2, 2004 at 5:43 am
Hello,
I wonder if there is a way to assign a database password.
The problem that the server could be simply opened using enterprise manager or any other tool if the user knows the sa,Null user/password
I need to install the database using sa/null and assign a database password to the data so it would only be opened using my application!
December 3, 2004 at 4:30 am
Assigning a blank SA password is considered bad practice. Is there any specific reason why you need to do this?
Better practice would be to assign an SA password (and restrict knowledge of it to the DBA), then create a new user/password for your app with the minimal permissions it needs.
Again, your app's username and password should be kept secure and hard-coded into the application, and password shouldn't be blank as this is the first thing a hacker will try.
December 3, 2004 at 6:04 am
Thanks Paul
Well I guess this is what I am about to do .
I tried to change the sa password once but I got things missed up. I will have to work hard this time.
So I will have to consider assigning a password during msde setup and use the password within the application.
Do you think just adding the password to the application without encryption can make it vulnrable to hacking? And why do you recommend creating another user for the application if it is desktop app?
December 3, 2004 at 6:16 am
Depending how you're implementing it, yes you could write a script to change the sa password and create a new login, and run that at the end of setup.
I advise creating a separate user for the application because you can then lock it down and ensure it can only access/do exactly what it needs to. Giving an app sysadmin privileges are dangerous...
...which brings me to the previous question. If your application is compiled then they shouldn't really be able to get at the password if it's hard-coded. This depends on what you're coding the front-end in. This is all the more reason not to use sa because if they do hack it, they can do anything...
December 3, 2004 at 7:47 am
I'm always wary of putting a hard coded password in the application. better to store it outside, registry, file, something and encrypt that somehow so it can be changed.
Definately don't want a blank sa password. You might also want to look at application roles as well.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply