Hi, I checked how much Mifos db implemented on MySQL is fitting with the security guidelines from MySQL: http://dev.mysql.com/doc/refman/5.0/en/security-guidelines.html
Here I reported thos e items and my conclusion: MySQL Reccomendations for Security See [1]: When running MySQL, follow these guidelines whenever possible: Do not ever give anyone (except MySQL root accounts) access to the user table in the mysql database! This is critical. Learn the MySQL access privilege system. The GRANT and REVOKE statements are used for controlling access to MySQL. Do not grant more privileges than necessary. Never grant privileges to all hosts. Try mysql -u root. If you are able to connect successfully to the server without being asked for a password, anyone can connect to your MySQL server as the MySQL root user with full privileges! Review the MySQL installation instructions, paying particular attention to the information about setting a root password. See Section 2.4.16.3, “Securing the Initial MySQL Accounts”. Use the SHOW GRANTS statement to check which accounts have access to what. Then use the REVOKE statement to remove those privileges that are not necessary Do not store any plain-text passwords in your database. If your computer becomes compromised, the intruder can take the full list of passwords and use them. Instead, use MD5(), SHA1(), or some other one-way hashing function and store the hash value. Do not choose passwords from dictionaries. Special programs exist to break passwords. Even passwords like “xfish98” are very bad. Much better is “duag98” which contains the same word “fish” but typed one key to the left on a standard QWERTY keyboard. Another method is to use a password that is taken from the first characters of each word in a sentence (for example, “Mary had a little lamb” results in a password of “Mhall”). The password is easy to remember and type, but difficult to guess for someone who does not know the sentence. Notes on how much Mifos MySql foit with the recommendations Point 1,2,3 and 4 seems conformed with the recommendations. Point 5: In mifos the root password is in clear in the build.properties file: if the file or the password will be removed after the installation this proble will not exists anymore. The mifos password is using UpdateMifosPassword class to store an hash value. Tomcat supply a class to apply MD5, MD2 or SHA, see Digested Password: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Digested%20Passwords Point 6: To be investigated Best Regards ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
