How can I change the password of user azure in MySQL in App?
What I have tried so far:
There are two configuration files named MYSQLCONNSTR_localdb.txt and MYSQLCONNSTR_localdb.ini. I have changed the default password there, but nothing happened. Also, if I change the password using PHPMyAdmin, then I cannot login again to PHPMyAdmin (for reasons unknown to me) using the new credentials.
Quoting the doc:
Can I customize the database, username and password to be used?
Yes. The connection string is stored at
D:\home\data\mysql\MYSQLCONNSTR_localdb.txt. The application (such
as wordpress) reads from this file for what database, username and
password to use. This also applies to what to backup and restore
provided by Azure WebApps. If you want to customize the database,
username and password, after you have created a new database, add new
username or update password, simply modify
D:\home\data\mysql\MYSQLCONNSTR_localdb.ini, remove
D:\home\data\mysql\MYSQLCONNSTR_localdb.txt and restart the WebApps.
Related
I am trying to deploy a very simple nodejs api through Heroku and utilizing the clearDB add on so I can connect to the MySQL db the api utilizes. I had everything connected and working then realized I had hard coded and exposed the database user and password information. I reset the password on clearDB to reset the exposed information. So far I have created environment variables locally and the config variable for the new password on Heroku but now the app crashes anytime I try to connect to the db, is there somewhere else that the new password will be needed?
ClearDB stores the username and password information inside the URL to the db so if you only updated it in the config variable for the password you will also need to update it in the variable containing the URL string as well.
My Java app for Windows requires uploading results to a server using an ftp client. Currently, I have the port, sever URL, username and password in an ini file that the app installer places on the users computer. I'm concerned that a user can easily open the ini file and see these credentials and thus be able to log in to my account on the server. I'm considering encryption of the username & password. Or, just ask the user to provide his/her own credentials, perhaps using Google or other free outgoing service? Are there better ways of handling this?
With SFTP, a connection can be authenticated using a couple different techniques one of them involves using Public / Private Key Pair.
With key-based authentication, you will need to generate a SSH private key and public key beforehand. If you want to connect to a partner's SFTP server, you would then send your SSH public key to them so they can load onto their server and associate with your account. Then, once you've connected to their SFTP server, your client software will transmit your public key to the server for authentication. If the keys match, along with any username/password supplied, the authentication will succeed.
Finally got back to this issue, and here's what I've learned.
First, I've decided to provide FTP access on my hosting server with a "home" directory so the user can't access site data other than his own. I will provide the username and password to the user. Second, the username will be stored in the Windows app database. Third, neither the password or a SaltHash of that password will be stored in the database. Thus the user must type in the password on each FTP upload.
The reason for not using SaltHash because is it's pointless. I.e., if I did go to the trouble of creating and storing a SaltHash, the user would still have to type in a password. That entered password could be salt hashed and compared with the stored SaltHash to be sure it's valid but that's no better than getting an acceptance or rejection from the server.
Or, what am I missing?
Context:
I'm trying to use a custom windows account for application pool, and enable Oracle OS authentication so that we would not have to store DB username and password in a config file.
Problem:
This setup works, however, I've noticed that I am able to 'recover' password using appcmd.exe. Is there a way to make sure someone with administrative and physical access cannot read the password in plain text?
This is a Windows 2016 machine, IIS 10. Password looks encrypted when looking into applicationHost.config file.
Following command shows the password:
%systemroot%\system32\inetsrv\appcmd.exe list apppool "ImoAppPool" /text:*
I am using Microsoft Access 2010 with unbound forms. No linked tables allowed, otherwise the connections string is stored in the table definitions. So it follows that we will use a query definition with no name to access SQL SERVER. This is recommended by Microsoft. We need to get the connection string from somewhere though. So it is recommended to return it from a method with a obfuscated name. It is recommended not to embed the connection string in plain text in the application source. So we use encryption.
A good way of doing this is to require the applications administrator to define the connection string at the first run of the application and according to this msdn article
...encrypt its value via DPAPI with a user-specific key of the account under which the application runs, and save the encrypted value in the Windows registry.
The accde launches from the logged on windows user account, after which the apps admin can login and setup the connection to the database, following the recommendations above.
The weakest link i now seem to have is the windows user account. It seems that anyone logged in to that account could decrypt the connectionstring if they knew the implementation of the security scheme. Which means that the system still is not secure enough.
I could create a new windows user, but that would mean that the password for that user must be kept safe, which means we are back at square 1, securing the password that is used to access some secret information.
There must be an easier way, any ideas?
Is there a reason you need to persist the connection string from session to session? Could you instead build a log-in form in your application where you accept the user's credentials, server instance and database name that they will be connecting to and keep this information in memory while the application is running?
This might provide more flexibility in that the administrator could decide to move the database to a new server and wouldn't have to worry about decrypting the connection string to change it and re-encrypt it. It would also allow for multiple databases to be defined - I'm thinking of a situation where you would have a QA server defined for testing changes before rolling out to the production server.
I need to implement the Win2k3 password validation policy. As my application resides on Win2k3 cane we validate the password directly with windows domain password by using LDAP. This is because application design does not want to store 8/more password entry into DB and validate new password against that. As Windows already does same thing and using LDAP we can lookup into windows server.
Can any one please let me know LDAP API to fulfill above requirement in VC++.
There is an API that Secure Ops, Novell's Identity Manager, and other products use to plugin to the password change functionality. (I do not know the API name, sorry).
It requires a password filter installed on each domain controller, since the only time it can catch the clear text password to try and do anything with it is when it is being changed, and it might be changed on any given DC at any moment in time.