|Perl Monk, Perl Meditation|
MS Security Gotcha (OT)by footpad (Abbot)
|on Feb 16, 2002 at 23:06 UTC||Need Help??|
Update #1: s/OBDC/ODBC; Grrr...I hate that tpyo.
I flagged this as OT, because it's not really a Perl issue, but since I discovered something while working on a Perl script, I thought it worth sharing. It's something some of you might run into. (And if you have and I've missed something, then please help me out.)
Here's the skinny. I've been working on some scripts to be run from my personal machine (Windows 98, sorry). These connect to a MySQL server on my webhost. (You can see where this is going, right?)
I dutifully installed MyODBC 3.51 and configured the ODBC Data Source Administrator to connect. As you might expect, I entered the username and password I use to access the MySQL database and then tested the connection, which worked. Yay!
Later, I thought I'd write some of the lessons I learned for my website, just in case anyone else runs into the same problems. Well, I had troubles duplicating my earlier success. Yet, when reviewing the settings of both, the values all looked the same.
So, I figured I'd take a quick peek at the Registry, just in case there was some hidden setting that hadn't been surfaced. (A valid thought, since I've solved other problems using the same technique.)
I searched the Registry for the name of the working ODBC DSN and was a little startled to see my password sitting there in plaintext. (In this case, it was helpful because in comparing the two passwords, I noticed that I'd been overly tricky and mistyped it the second time.)
Why is this a problem? Well, if I'd left the passwords in there, anyone with access to my machine could find them pretty easily. (Try searching the Registry for keys named "password" some time; quite interesting.)
Typically, I don't save passwords on any machine, but this simply reminded me of a standard rule that bears repeating from time to time: Don't save your passwords anywhere, especially on a machine running a notoriously insecure OS.
Update #2: If you are working on a project (using Perl or not, IMHO) that uses ODBC to connect to remote servers (as part of a web service or not) and this involves Windows 9.x clients, then you may wish to review the DSN's settings as they're stored in the Registry. Personally, I don't think it affects NT/Win2K/XP (especially if you're restricting access to the Registry via Profiles), however, it may be worth checking out. YMMV.2
FWIW, I later
And, finally, in case any Softies are lurking, it may be wise to consider encrypting passwords you save to the Registry. It's not that hard.
2 Based on some private CB discussion, it seems this needed to be expressed more clearly. I posted this because some people use Perl on Windows to connect to a remote MySQL database using ODBC. It happens.