CEL 847 – Require old password when changing the password
At the moment users can change there passwords without checking the old one
CEL 814 – Improve Cello User security
At to moment Cello stores the database user in an AppConfig file. This leaves the app open to someone running a HEX editor on Cello.exe pulling out the App_Key then reversing the encryption to figure out the SQL user.
To get round this. We need to tie the Cello users to SQL users and store the password in the SQL user. Then remove the UserName and Password from the AppConfig file.
Cello would then open the Login screen without connecting to the database. And then build the connection string out of the UserName and Password the User enters along with the instance name taken from the AppConfig file.
Note: This will effect the logo on the login screen.