Currently the Oracle extension for vs code stores passwords as clear text. This applies to all versions of the extension including the most recently released version 21.4.0
When will the extension store the passwords encrypted?
e.g. using the create connection dialog:
In the dialog the password is hidden, however in the settings file, it is in clear text:
{
"authenticationType": 1,
"dBAPrivilege": "SYSDBA",
"userID": "SYS",
"passwordSaved": true,
"password": "oracle",
"dataSource": "localhost:1521/xepdb1",
"connectionType": 2,
"databaseHostName": "localhost",
"databasePortNumber": "1521",
"databaseServiceName": "xepdb1",
"name": "SYS.xepdb1",
"currentSchema": "",
"tnsAdmin": "C:\\Users\\geral\\Oracle\\network\\admin"
}
Now, if this was a connection to a production database, it could be used by an intruder.
On Windows, e.g. this extension should use the Windows Credential Manager to store passwords securely