Re: [Firebird-devel] Initializing security database for first use
On 12/22/11 07:12, Doug Chamberlin wrote: Why limit it to so little? Make the limit 1KB or 2KB to encourage pass phrases instead of passwords. Full sentences that are meaningful to the person are WAY better protection than complex passwords. Currently (fb3) firebird does not artificially limit length of passwords. But one must take into an account that passwords much longer than size of hash are meaningless - in case of bruteforce attack one will sooner of all find shorter password with same hash value. With 160 bit hash we can say that passwords longer than 20-24 bytes (24 cause one typically does not use some bytes like \n in passwords) make no sense from bruteforce attack POV. On the other hand, if one prefers to use some long pass phrase (may be it's easier to remember it?) I see no big reasons to avoid such practice. But please remember that passwords do not become stronger on SRP when 24bytes long. -- Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Initializing security database for first use
02.01.2012 1:38, Steve Friedl wrote: On Sun, Jan 01, 2012 at 08:14:56PM -0400, W O wrote: Right, but it take more time for type them and the probability of mistakes grows. Sure, but if long passwords are allowed, people have a choice as to their own tradeoff of security -vs- convenience. If only short passwords are allowed, Firebird makes the choice for them. SSH long keys aren't typed, but still are considered to be secure. -- SY, SD. -- Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Initializing security database for first use
Why limit it to so little? Make the limit 1KB or 2KB to encourage pass phrases instead of passwords. Full sentences that are meaningful to the person are WAY better protection than complex passwords. On 12/21/11 4:19 PM, W O wrote: Just 8 letters for a password seems to me very short. It is very difficult to establish until 16 letters? -- Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Initializing security database for first use
Right, but it take more time for type them and the probability of mistakes grows. Greetings. Walter. On Wed, Dec 21, 2011 at 11:12 PM, Doug Chamberlin chamberlin.d...@gmail.com wrote: Why limit it to so little? Make the limit 1KB or 2KB to encourage pass phrases instead of passwords. Full sentences that are meaningful to the person are WAY better protection than complex passwords. On 12/21/11 4:19 PM, W O wrote: Just 8 letters for a password seems to me very short. It is very difficult to establish until 16 letters? -- Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel -- Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinaboxFirebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Initializing security database for first use
On Sun, Jan 01, 2012 at 08:14:56PM -0400, W O wrote: Right, but it take more time for type them and the probability of mistakes grows. Sure, but if long passwords are allowed, people have a choice as to their own tradeoff of security -vs- convenience. If only short passwords are allowed, Firebird makes the choice for them. On Wed, Dec 21, 2011 at 11:12 PM, Doug Chamberlin chamberlin.d...@gmail.com wrote: Why limit it to so little? Make the limit 1KB or 2KB to encourage pass phrases instead of passwords. Full sentences that are meaningful to the person are WAY better protection than complex passwords. On 12/21/11 4:19 PM, W O wrote: Just 8 letters for a password seems to me very short. It is very difficult to establish until 16 letters? -- Stephen J Friedl | Security Consultant | UNIX Wizard | 714 694-0494 st...@unixwiz.net | Orange County, CA | - | unixwiz.net -- Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Initializing security database for first use
On 12/21/11 19:11, Paul Reeves wrote: BTW, will the default be masterkey or masterke? That's different things now. Are you saying that if the default is set to masterke and the user types masterkey that the login will fail? And the same with typing masterke when the password is masterkey? Yes. That's obvious if we have passwords longer than 8 chars :) If that is a case we might have some very confused users. At the moment I would suspect a majority type masterkey because it is the documented default *and* it is a meaningful word. And there is probably a large minority who think they are being clever by only typing eight letters because they know the ninth letter is ignored. As far as I understand we will use 'masterkey'. People who are typing will not have too hard problem to type one more letter. The worst case are scripts where 'masterke' is used. Looks like this will become a lesson for a people who: - use default password in production, - type it in scripts (for _default_ password is not big trouble in fact), - abbreviate it in undocumented way :-) -- Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Initializing security database for first use
On 12/20/11 22:04, Dmitry Yemanov wrote: 20.12.2011 18:22, Paul Reeves wrote: o Add a checkbox that allows a user to keep SYSDBA/masterkey. Default will be unchecked. If unchecked then next screen will ask user to enter new password. This gets my vote. Just one idea. May be not check box, but radio box with 3 choices - keep masterkey, ask user for password and generate random password (which will be saved into file $FbRoot/SYSDBA.password). Last method is used in silent linux install, and people fill OK with it. Certainly I'm not going to insist, that's not more than suggestion. BTW, will the default be masterkey or masterke? That's different things now. -- Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Initializing security database for first use
On 12/20/11 18:31, Paul Reeves wrote: On Tuesday 20 December 2011 at 14:20 Alex Peshkoff wrote: Next, for ZIP install people will have to run gsec first time manually. That is not desirable. In fact when I wrote my previous reply I was just thinking about the UI of the installer. Once the information has been collected the installer would need to actually initialise the security database. The best way to do this would be to provide a batch file that takes the uname and pw as params. That way the zip package can share the same mechanism. Writing batch file is not a problem. But I do not know why is it needed when all what you need is to gsec -add sysdba -pw %new_password% -- Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Initializing security database for first use
On Wednesday 21 December 2011 at 12:29 Alex Peshkoff wrote: Writing batch file is not a problem. But I do not know why is it needed when all what you need is to gsec -add sysdba -pw %new_password% Don't forget we are talking about windows users here :-) (g,d r). A lot of them will not even know there is a command-line. Even then, one of the design goals of the installer is to install a fully working system from the installer itself. Paul -- Paul Reeves http://www.ibphoenix.com Specialists in Firebird support -- Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Initializing security database for first use
On 12/21/11 15:51, Paul Reeves wrote: On Wednesday 21 December 2011 at 12:29 Alex Peshkoff wrote: Writing batch file is not a problem. But I do not know why is it needed when all what you need is to gsec -add sysdba -pw %new_password% Don't forget we are talking about windows users here :-) (g,d r). A lot of them will not even know there is a command-line. Even then, one of the design goals of the installer is to install a fully working system from the installer itself. As far as I understand in case of high-level GUI installer that command will be invoked by installer itself. And what about ZIP - may I ask, how does it work now? I've thought that people at least need to register themselves windows service after opening archive. Am I wrong? -- Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Initializing security database for first use
21.12.2011 12:59, Alex Peshkoff wrote: And what about ZIP - may I ask, how does it work now? I've thought that people at least need to register themselves windows service after opening archive. Am I wrong? For regular users - no, but developers used to use FB server in application mode. -- SY, SD. -- Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Initializing security database for first use
On 12/21/11 16:02, Dimitry Sibiryakov wrote: 21.12.2011 12:59, Alex Peshkoff wrote: And what about ZIP - may I ask, how does it work now? I've thought that people at least need to register themselves windows service after opening archive. Am I wrong? For regular users - no, but developers used to use FB server in application mode. Sorry - may be my question was not enough precise. Does our zip archive contains something (batch file) that helps with further install after unzipping files? -- Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Initializing security database for first use
Alex Peshkoff [2011-12-21 13:07] : Sorry - may be my question was not enough precise. Does our zip archive contains something (batch file) that helps with further install after unzipping files? yes https://firebird.svn.sourceforge.net/svnroot/firebird/firebird/branches/B2_5_Release/builds/install/arch-specific/win32/ install_classic.bat install_super.bat install_superclassic.bat -- Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Initializing security database for first use
On Wednesday 21 December 2011 at 12:26 Alex Peshkoff wrote: Just one idea. May be not check box, but radio box with 3 choices That is a possibility. I think the final decision will depend partly on the architecture of innosetup and the logic of the order of the screens. BTW, will the default be masterkey or masterke? That's different things now. Are you saying that if the default is set to masterke and the user types masterkey that the login will fail? And the same with typing masterke when the password is masterkey? If that is a case we might have some very confused users. At the moment I would suspect a majority type masterkey because it is the documented default *and* it is a meaningful word. And there is probably a large minority who think they are being clever by only typing eight letters because they know the ninth letter is ignored. Paul -- Paul Reeves http://www.ibphoenix.com Specialists in Firebird support -- Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Initializing security database for first use
On 20/12/2011 11:20, Alex Peshkoff wrote: I wonder is it possible to change windows installer to initialize security database. Next, for ZIP install people will have to run gsec first time manually. Are this changes OK for us? I don't think it is, specially for zip. I think bind the server to listen only for 127.0.0.1 and set a comment right on this config about the password is better. Adriano -- Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Initializing security database for first use
On 12/20/11 17:26, Adriano dos Santos Fernandes wrote: On 20/12/2011 11:20, Alex Peshkoff wrote: I wonder is it possible to change windows installer to initialize security database. Next, for ZIP install people will have to run gsec first time manually. Are this changes OK for us? I don't think it is, specially for zip. I think bind the server to listen only for 127.0.0.1 and set a comment right on this config about the password is better. Probably, but I think that a message about not ready for use security database (probably with an advice what to do) is better than: Statement failed, SQLSTATE = 08006 Unable to complete network request to host XXX. -Failed to establish a connection. -Connection refused -- Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Initializing security database for first use
On 20/12/2011 11:41, Alex Peshkoff wrote: On 12/20/11 17:26, Adriano dos Santos Fernandes wrote: On 20/12/2011 11:20, Alex Peshkoff wrote: I wonder is it possible to change windows installer to initialize security database. Next, for ZIP install people will have to run gsec first time manually. Are this changes OK for us? I don't think it is, specially for zip. I think bind the server to listen only for 127.0.0.1 and set a comment right on this config about the password is better. Probably, but I think that a message about not ready for use security database (probably with an advice what to do) is better than: Statement failed, SQLSTATE = 08006 Unable to complete network request to host XXX. -Failed to establish a connection. -Connection refused If a very clear (for newbies) message is returned, then ok. Adriano -- Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Initializing security database for first use
On Tuesday 20 December 2011 at 14:20 Alex Peshkoff wrote: I wonder is it possible to change windows installer to initialize security database. It is possible, but I'm not sure it is practical or desirable. It would be interesting to know what percentage of deployments are for development and what percentage are for production. For development the requirement to set a password for SYSDBA will be a real pain. Obviously production deployment should require that SYSDBA does not use the masterkey password. I suspect that the solution for windows will require implementing one of the following: o provide a screen that asks user to enter new SYSDBA password. Default will be masterkey so user can click through as usual. or o Add a checkbox that allows a user to keep SYSDBA/masterkey. Default will be unchecked. If unchecked then next screen will ask user to enter new password. The latter solution will encourage more users to create a new password because most users will click through before reading the screen properly. We also need to deal with scriptable installs. For this I would suggest a command-line option that specifies the new password (which could be masterkey). If no password is provide then the installation would fail. Paul -- Paul Reeves http://www.ibphoenix.com Specialists in Firebird support -- Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel