Reputation: 544
How do I store a password that I need the true value for?
I have a password/key that I need to use in my Java program. I need to use it with an external application so 2-way encryption is not an option. My issue with 1-way encryption is that the decryption key will be laying around my code somewhere so it isn't any more secure in the end. So how do I store this password safely? I was thinking of storing it in an external file that is read in but I don't know how well this would work for deployment and such.
Upvotes: 0
Views: 86
Answers (3)
Reputation: 727047
As far as storing passwords goes, you don't have a good option: a sufficiently determined person will find a way to get to your password. In fact, the development of one-way encryption is the result of a simple realization that a good option for storing recoverable passwords does not exist.
If you must communicate with an application that requires a password, and you are not willing to have the end-user provide that password each time it is needed to log in, you could use a non-portable way of encrypting small amount of text that is often available on many operating systems. The idea is to "piggyback" on some encryption done by OS, which is protected by credentials of the current user or the current network service.
For example, on Windows you could use the Current User Hive of the Windows Registry to store the password, and then read that password from your Java program. The password is stored in encrypted form, and is available only to the current user. The protection relies on users supplying their login credentials before running your program.
On Mac OS you could get similar kind of protection by storing the password in the keychain. In both cases you end up with a non-portable solution.
Upvotes: 0
Reputation: 3294
As the comments says, you can not do this in a secure way. Anything that allows you to retrieve the password will open the possibility for someone else to do it also. What you can do is have a separate password for each installation and let the user/admin that installs the application worry about securing the password. That would allow them to store the password in a separate file or input it during application startup or whatever feels secure enough.
If the password is to an external service there is a good chance they want to have some control over the usage anyway.
If the password is to your own service you might ask yourself what your "threat-model" is. Is it really a problem if someone retrieves the password, and if it is you probably want to be able to shut down that password without affecting all users/installations.
Upvotes: 1
Reputation: 9579
If you use one-way encryption, then you can only encrypt, not decrypt.
In your password file, have salted, encrypted passwords. The algorithm is:
- New User selects password, system assigns id to the new user
- Salted Encrypted password =
encrypt(password + id); - Store salted encrypted password in file
When someone logs in, do the following:
- receive username and password for login attempt
- lookup id for username
- salt and encrypt entered password as above
- compare with file, if it matches, it's OK
Upvotes: 0
Related Questions
- How can I create a key pair in Java, based on a password?
- What is the best practice for securely storing passwords in Java
- JAVA - Secure way of retrieving / storing username & password to a server?
- How the handle/store encryption key in 2 way encryption to encrypt user password?
- Where can I store saved password locally but securely in Java?
- Keep password in memory
- Storing passwords in an encrypted file
- I want to make a concealed "password" in Java
- Storing a Password String in the Code
- How to store crypto password safely