Storing passwords in an encrypted file

Question

I'm writing this Java desktop application (no internet connection) that requires a few separate accounts, I need to store the login information on a file that can be accessed to check the passwords.

I have no idea how this should be done, how can you read the encrypted file without seeing other's passwords?

Answer 1

You never need to decrypt the password. You'll need to save the username, the digested password and a salt. A salt is very important, because if you don't use it, it's easy to get the passwords with a rainbow table.

When you save a password, you need to generate a random salt. Then you concatenate it with the password, and digest it. Then you store the username, the digested password and the salt.

When you want to check a password, you concatenate the password the user has written with the salt stored for that user, digest it and compare it with the saved digested password.

Be careful with the digest algorithm that you will use. SHA-XX is not bad an it's included with java by default.

Answer 2

A usual and secure way is to proceed as follows:

• Store the "username" in clear, and the password as SHA-1 digest (or similar).
• When the user logs in, then digest the password with SHA-1 algorithm, and compare the result with the one that you had in the file. If the SHA-1 strings match, then the password was correct.

This ensures that someone with access to the file, will not know the password (since MD5 is nor reversable), and will not be able to log in the application.

Answer 3

The most common solution is not to encrypt the file, but the stored passwords. You can use a one way encryption algorithm (which makes easy to encrypt, hard to decrypt, guarantees uniqueness of encrypted password, so two different passwords will not result in the same encrypted string). When the user submits her password again you encrypt her submission and compare the encrypted password with the one stored in your file.