Need to answers customer security issues. Could you please answer
Is password encrypted (also at transit)?
Are passwords are both salted and hashed?
What key length are you using for encryption?
Thanks for reaching out with your question. Since you didn't explicitly denote what passwords to which you refer, I'll presume you're referring to passwords used in Data Sources. Please correct me if I'm mistaken.
First and foremost, whether the password is encrypted in transit depends on your connection to your RDBMS. If you're connecting via SSL, then the connection is encrypted. If you haven't explicitly configured it as such, the authentication may be in plain text.
In regards to the passwords at rest, these are encrypted as they are stored for use with Yellowfin. Sharing specific details of our manner of encryption, however, would violate our policies and potentially put other Yellowfin clients at risk. For this reason, I cannot give specific answers to how we encrypt our passwords.
I hope this information helps!
1. Actually both Data Source passowrds and YF passwords.
2. Supporting salted and hash password and key length is violating security policy? So I should I know what policy are you violating. We need to support level of security for our customers!
1. I'm unsure as to whether we use the same method of encryption for both passwords stored in the data base and the password stored in the configuration file.
2. While supporting salted and hashed passwords and having proper key lengths does not violate security policy, publicly disclosing the methods we DO use to encrypt our passwords does. This is a request that will have to be handled by a higher authority than myself.
I've placed this for review by the Australian team to determine how best to proceed.
I can verify that any password stored in a configuration file is encrypted using 3DES encryption.
Any passwords stored in the Yellowfin Configuration Database are hashed to prevent a comprise of data if the Configuration Database is breached. The clarification here is that these are hashed and not encrypted.
Does this address your questions?
I'm going to mark this as Answered, as I haven't heard back from you for some time on this.
Comments have been locked on this page!