 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / General / September 2006encrypting password
Hi, My application currently stores a user name and password using the Preferences class. I assume this is stored somewhere in plain text, either way it is insecure. How do I go about saving a password when it is entered so that I don't have to ask for it later? The password is used to access MySQL. Lionel. > My application currently stores a user name and password using the > Preferences class. I assume this is stored somewhere in plain text, > either way it is insecure. How do I go about saving a password when it > is entered so that I don't have to ask for it later? The password is > used to access MySQL. It is very difficult to both enable you rprogram to read the password and prevent the user from reading the password. For client side apps it is often the best to gives users individual passwords and have them enter it. Arne >> My application currently stores a user name and password using the >> Preferences class. I assume this is stored somewhere in plain text, [quoted text clipped - 8 lines] > For client side apps it is often the best to gives users > individual passwords and have them enter it. I was actually sort of thinking that might be the case. When I thought about the problem I couldn't think how it would be possible. Maybe I need to make it a little less user friendly by requiring them to enter a password. Lionel. >>> My application currently stores a user name and password using the >>> Preferences class. I assume this is stored somewhere in plain text, [quoted text clipped - 15 lines] > > Lionel. I am working on an LDAP administration client-side application which provides various options for the administrator to authenticate through the app back to the LDAP server. One is using Kerberos through Windows XP but another is simply entering a username and password. I allow the configuration to be saved to disk but I do not save the password in that file. I always require the user to enter the password (after loading their config data from the file) before they can connect to the LDAP server. I also use a JPasswordField to mask the password but I do keep it around in plaintext in the object that represents the configuration settings. hope that helps. > My application currently stores a user name and password using the > Preferences class. I assume this is stored somewhere in plain text, > either way it is insecure. How do I go about saving a password when it > is entered so that I don't have to ask for it later? The password is > used to access MySQL. why cant u use some kind of encryption(MD5, SHA etc) before puting it as a node?? and later, whenever u need that password, jus decrypt it.. >> My application currently stores a user name and password using the >> Preferences class. I assume this is stored somewhere in plain text, [quoted text clipped - 5 lines] > as a node?? > and later, whenever u need that password, jus decrypt it.. And how do you "decrypt" an one-way hash? :-)  SignatureDag. > > why cant u use some kind of encryption(MD5, SHA etc) before puting it > > as a node?? > > And how do you "decrypt" an one-way hash? > :-) Yes.. its not possible.. so.. you can use other encyptions like DES.. My application uses MD5 encryption for stroing the password in DB and when the user log in to the application, the password supplied by the user will be encrypted with MD5 and compared with DB - this way I'm authenticating. >> > why cant u use some kind of encryption(MD5, SHA etc) before puting it >> > as a node?? [quoted text clipped - 3 lines] > > Yes.. its not possible.. so.. you can use other encyptions like DES.. As others have been trying to point out, you can't encrypt the password even with DES or any other technique because doing so requires a key for decryption which must also be stored, or have the user enter. Simply having the user enter the password is the best choice in this case. (Although if you have many passwords and other data to secure you can store them all and have the user enter the main key, but that's a different story.) > My application uses MD5 encryption for stroing the password in DB and > when the user log in to the application, the password supplied by the > user will be encrypted with MD5 and compared with DB - this way I'm > authenticating. This technique is perfectly fine and is very common for authentication. It just doesn't apply to the OP's problem which is to store a password that can be re-sent to another application. Matt Humphrey matth@ivizNOSPAM.com http://www.iviz.com/ > >> > why cant u use some kind of encryption(MD5, SHA etc) before puting it > >> > as a node?? [quoted text clipped - 10 lines] > you have many passwords and other data to secure you can store them all and > have the user enter the main key, but that's a different story.) Why cant we use some key for encryption atleast for a login session?? See, If its a web application, then you can use session id as encryption key.. or you can use user name as encryption key.. In one of the Application im currently working, the key for encryption will be generated as following Key : head + userName + mid + session id + tail head, mid, tail are 10 digit numbers which will be generated randomly on each application startup(means when u start the web application, these numbers will be generated and stored in a static variable). These numbers are used to ensure the security of the system. And for all other encryptions, I use this key.. for each user login, userName and session id will change and it will be valid as long as the session is alive. Jiji >> As others have been trying to point out, you can't encrypt the password >> even [quoted text clipped - 7 lines] > > Why cant we use some key for encryption atleast for a login session?? Because you'd have to store that key somewhere in order to later use it for decryption. Either you have a secure place to store that key, or you don't. If you do have a secure place to store that key, then you might as well just store the original password there instead, and save yourself all this hassle. If you don't have a secure place to store the key, then you haven't gained any security at all, because any malicious user could gain access to your key, and decrypt your original password. - Oliver >> why cant u use some kind of encryption(MD5, SHA etc) before puting >> it as a node?? and later, whenever u need that password, jus >> decrypt it.. > > And how do you "decrypt" an one-way hash? >:-) Why should you *need* to decrypt it? /gordon Signature[ don't email me support questions or followups ] g o r d o n + n e w s @ b a l d e r 1 3 . s e >>> why cant u use some kind of encryption(MD5, SHA etc) before puting >>> it as a node?? and later, whenever u need that password, jus [quoted text clipped - 6 lines] > > /gordon Because the OP wants to store them to use for mySQL login later: <quote> The password is used to access MySQL. </quote> SignatureDag. >>>> why cant u use some kind of encryption(MD5, SHA etc) before puting >>>> it as a node?? and later, whenever u need that password, jus [quoted text clipped - 9 lines] > The password is used to access MySQL. > </quote> I think it's become clear that to keep the password secure it must be entered by the user at start up. I can then authenticate and get a connection to the database and all is done. It just means that each time the application is restarted they must re-enter their password. I minor inconvenience but that's the way it's got to be. Lionel. >>My application currently stores a user name and password using the >>Preferences class. I assume this is stored somewhere in plain text, [quoted text clipped - 5 lines] > as a node?? > and later, whenever u need that password, jus decrypt it.. Dag Sunde already pointed out that MD5 is a one-way hash that cannot be decrypted. If you used a symmetric encryption algorithm instead, you'd still have to store the encryption/decryption key somewhere safe, so you're not really achieving much. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.