When the workstation connects to the server using ODBC (or in my case, the
Sybase SQL Anywhere driver in Clarion) ... does the password on the
connection string go from the workstation to the server in readable text?
Meaning, what stops someone from scraping the password on the network when
people connect to the database.
This is when the database is in regular form (not AES).
Is there switches I should be using and if so, what stops someone from just
changing the switches.
From: "Robert Paresi" <FirstInitialLastName@innquest.com>
Subject: How is the DBA password shown in 9.02?
Organization: InnQuest Software
Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original
X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
Date: 27 Mar 2009 05:42:15 -0800
X-Trace: forums-1-dub 1238161335 10.22.241.152 (27 Mar 2009 05:42:15 -0800)
X-Original-Trace: 27 Mar 2009 05:42:15 -0800, vip152.sybase.com
Xref: forums-1-dub ianywhere.public.general:7438
Article PK: 5851
User-Agent: Thunderbird 220.127.116.11 (Windows/20090302)
Subject: Re: How is the DBA password shown in 9.02?
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Date: 27 Mar 2009 06:03:13 -0800
X-Trace: forums-1-dub 1238162593 10.22.241.152 (27 Mar 2009 06:03:13 -0800)
X-Original-Trace: 27 Mar 2009 06:03:13 -0800, vip152.sybase.com
Xref: forums-1-dub ianywhere.public.general:7439
Article PK: 5852
The initial "login" packet is always obfuscated in a normal login
session. (So nobody can "casually scrape" the password out with a tool
such as Wireshark). That said, anyone who is determined/knowledgeable
enough to figure out the algorithm and key that was used to obfuscate
the packet can potentially get the password out.
Going to transport layer security (TLS) is the only way to guarantee a
"secure" login session. (This is true for any technology though and is
certainly not unique to SQL Anywhere). On versions 10 and up, RSA TLS
encryption is included with the base package. (See: "createcert" in the
There's also a number of whitepapers on this topic on our website:
To clarify, TLS uses RSA or ECC, which encrypts the communication stream
across the network. AES is used for block-cipher encrypting the database
when it's stored on-disk (which doesn't affect this mechanism at all).
Jeff Albion, Sybase iAnywhere
iAnywhere Developer Community :
iAnywhere Documentation : http://www.ianywhere.com/developer/product_manuals
SQL Anywhere Patches and EBFs :
Report a Bug/Open a Case : http://case-express.sybase.com/cx/