Lack of Security

James_Baker · Post by **James_Baker** » Tue Jun 01, 2004 9:06 am

I'm amazed at the lack of security SourceGear placed on their Vault product. My company considered using Vault and making it a standard for all 30+ developers, but we discovered that the server doesn't lock-out an account after 3 failed login attempts. For that matter, it doesn't lock out the account after 30 failed login attempts. This means the system is wide open to Dictionary Attacks. Of course one response to dictionary attacks is strong passwords. But, amazingly enough, Vault doesn't enforce any password policies. The administrator can create a strong password for an account, but the user can change that password to anything they want - including a blank password.

We couldn't justify making our source code available to the world. So until SourceGear institutes security in their product we'll pursue other alternatives.

I'm surprised any company out there would place their Intellectual Property at risk by using Vault.

lbauer · Post by **lbauer** » Tue Jun 01, 2004 10:18 am

We plan to add better password management to Vault in version 2.1. I'll add your comments to the feature request that's been logged.

Don Thimsen · Post by **Don Thimsen** » Wed Jun 02, 2004 3:31 pm

Our Vault server is only visible on the Private network. All remote access must be performed through a VPN tunnel. Performance is excellent - actually phenomenal if you're an ex-Sourcesafe user.

If someone has breached our firewall and has successfully done a domain login, our intellect property is just one of a multitude of problems...

Don

arden_dan · Post by **arden_dan** » Thu Jun 03, 2004 7:29 am

I agree with Don here. Our Vault server is only visible on our private network, home workers need to gain VPN access before logging into Vault. If anybody were to get through our firewall, VPN and domain security.. source vault access would just be one of a big list of worries

Our internal network users love the performance of Vault, definitely faster than VSS. Our external users previously relied on Source OffSite, which was fast.. but not as fast as Vault.

GregM · Post by **GregM** » Thu Jun 03, 2004 7:33 am

Someone correct me if I'm wrong, but I believe you can configure IIS to require Windows Authentication for the Vault URL instead of allowing anonymous access. Combine this with putting the server behind a firewall and only forwarding port 443, so usere have to connect with SSL, and you should have the security and password management features you need. This would complicate things in that the user now has two separate usernames and passwords that they need to access Vault from offsite.