How to secure the credentials in java application

Question

In am searching for a way to secure the credentials that are used to communicate with other services. I have stored all the credentials in property file and i am fetching it from that file which is not right way of doing. One thing which i can do is store the credentials in encrypted format and fetch the encrypted value decrypt it to get the real value or use preferences to store these credentials. Does any one have any better way of doing this.

Answer 1

In a first simple approach, I think you could try hashing/digesting encryption, that is, you could use MD5, SHA1, SHA256, ... to obtain a digest that can't be unencrypted.

Then, when you want to check someone credentials, you must obtain a digest of credentials provided and check it against previously stored digest.

This a more secure way, it is relatively simple and you can keep using a file to store encrypted digests.

Here you are with a MD5 and/or SHA sample, that uses org.apache.commons.codec.digest.DigestUtils from Apache Commons Codec:

String digestedSHA = DigestUtils.sha256Hex(clearPass);
String digestedMD5 = DigestUtils.md5Hex(clearPass);

It is easy and straightforward. Of course there are more advanced options. Maybe you can start with this.

Hope it helps!

Answer 2

Have a read into Java's support for key stores.

http://docs.oracle.com/javase/7/docs/api/java/security/KeyStore.html https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores