Reputation: 2200
Where to store confidential information?
I have developed one desktop application in java in which i have taken user's credentials. I have developed this application to make it run on any plateform. Now confusion is that i am getting is where to store this credential information. Is a file a proper location for it ? Or should i store it according to the plateform used? like in windows i can use registry to store this information. But what about linux and other plateforms? Is there any standard solution which can help me or use of file is the only way to do it? I initially thought to store it in properties file but any knowledgeable person can browse the content of the jar and can have that property file so i think it is also not appropriate solution. Kindly tell me a better way to store this credentials. Credentials are encrypted.
Upvotes: 2
Views: 611
Answers (3)
Reputation: 1424
Encrypting the password is the best option in this case. So, you can save it in a file. Never store a password as plain text -- in file, database or elsewhere. I think this is quite extensive and helpful article on this topic: http://www.codeproject.com/KB/recipes/StoringPasswords.aspx.
Upvotes: 4
Reputation: 5104
Since your application is targeting multiple platforms I don't think you should implement a platform-specific option, even if you provide a way to implement the same functionality in other platforms. One can always browse the windows registry anyway, for example.
If the credentials are encrypted using am algorithm currently accepted as secure, I don't think you have much to worry about. Obscure the credentials in a place you see more fit, and the encryption should do the rest, that's why it exists.
Just don't forget to secure the key used to encrypt the credentials too.
Upvotes: 1
Reputation: 88757
If credentials are encrypted you might just store them in a file, preferably in the user's home directory. You might also encrypt the file itself to prevent others from reading it directly.
Using this you have 3 levels of security:
- Only users with access to the home directory (the user herself and any administrators) have access to the file. You also can have multiple files - one per user.
- The file is encrypted, so only those that have access to the decryption key and who know the encyption method could decrypt it.
- The credentials are encrypted to, normally using an asynchronous algorithm. Thus the plain text can't be reconstructed with any reasonable effort.
Upvotes: 3
Related Questions
- Securely store user account details required for use in code
- Storage of sensitive data
- What is the best practice for securely storing passwords in Java
- Where should I store credentials for my java application to access third party services?
- Storing usernames and passwords securely
- Where should i store credentials and how get them back?
- Where can I store saved password locally but securely in Java?
- Where do you store database passwords?
- How can I store sensitive data in Java configuration files?
- Java - store sensitive data