Re: Adding some random characters to Oracle password

"Howard J. Rogers" <hjr_at_dizwell.com> wrote in message news:4181460a$0$21982$afc38c87_at_news.optusnet.com.au...
> Alan wrote:
> [snip]
>
> >>
> >> Scalability is just one concern. What happens if the secret ID and
> > password
> >> ever get discovered?
> >
> > It can't get discovered because it is hard-coded and compiled into the
> > app. Source code is secured.
>
> Oh dear. I kind of knew you'd say that.
>
> And no-one could take your application and reverse engineer it? No-one
could
> torture your developers (now there's a thought) to discover what it is?
> No-one could packet sniff your network to discover what is being sent?
>
> "It can't get discovered" is a *huge* claim to make.

Well, you need to know the situation here. Of course the extreme measures you described could be used (and the torture part is fine with me), but the application involved isn't worth the effort. It just needs to be secured internally, to prevent sales offices from seeing each other's information. And, to be truthful, it's not exactly as I stated- it is far less secure, but that was not my decision, nor is it my problem. Without going into details, I'll just say that the user id and password can be found, if you know where to look. And, no, I don't build my applications that way- this was done by a former regime, but management is happy with it. I posted this method to indicate that there are alternatives, depending on your situation. This all reminds me of a Dilbert cartoon I saw yesterday:

Boss: Tell me again what the issue is.

Dilbert: Do you want the simple but misleading explanation or the one you won't understand?

Boss: Either one is good; I wasn't planning on listening.

Now you can understand how we got to this security implementation. Received on Thu Oct 28 2004 - 14:38:33 CDT