Putting passwords in a properties file?
in [Java Help]
|
Prev: Some projects were hidden because they exist in the workspace directory
Next: light weight types
From: markspace on 27 Sep 2009 13:04 Dave Searles wrote: > > It seems to me that if you have the hash and the salt, and know the > algorithm for convolving the password with the salt, then you can still > carry out a dictionary attack. A dictionary attack pre-computes the hash, and then just scans the password file for a simple string match. The salt defeats this, because each bit in the salt doubles the storage needed for the dictionary. <http://en.wikipedia.org/wiki/Salt_%28cryptography%29> You're right in that if the password itself is weak and could be guessed, then all bets are off.
From: Roedy Green on 27 Sep 2009 14:47 On Fri, 25 Sep 2009 09:37:13 +0200, Uli Kunkel <genijalac(a)yahoo.com> wrote, quoted or indirectly quoted someone who said : >I need to put a password for something as an application parameter. >For now I'm using a properties file but the password isn't encrypted. If your program can decrypt the passwords to plaintext, so can any hacker. Further he can snoop on your socket when the apps sends the passwords off to some other site. Anything you do to hide the passwords is just disguising them from casual observation. -- Roedy Green Canadian Mind Products http://mindprod.com "Civilisation advances by extending the number of important operations which we can perform without thinking about them." ~ Alfred North Whitehead (born: 1861-02-15 died: 1947-12-30 at age: 86)
From: rossum on 27 Sep 2009 17:03 On Sun, 27 Sep 2009 11:47:14 -0700, Roedy Green <see_website(a)mindprod.com.invalid> wrote: >On Fri, 25 Sep 2009 09:37:13 +0200, Uli Kunkel <genijalac(a)yahoo.com> >wrote, quoted or indirectly quoted someone who said : > >>I need to put a password for something as an application parameter. >>For now I'm using a properties file but the password isn't encrypted. > >If your program can decrypt the passwords to plaintext, so can any >hacker. Further he can snoop on your socket when the apps sends the >passwords off to some other site. Anything you do to hide the >passwords is just disguising them from casual observation. The attacker can always find out what the plaintext is by one means or another. The idea of security is to make it more costly in terms of resources or time. Ideally the cost to determine the plaintext is greater than the value to be gained from knowing it. rossum
From: senatov on 28 Sep 2009 04:02 On 09/25/2009 09:37 AM, Uli Kunkel wrote: it is a good idea and standard solution to write in config file not a password self , but his controll summ, hash number etc etc. It's much more convinient to use. -- Благословляю на добрыя дѣла ☦. Иаков ඊස
From: Dave Searles on 28 Sep 2009 17:25
markspace wrote: > Dave Searles wrote: >> >> It seems to me that if you have the hash and the salt, and know the >> algorithm for convolving the password with the salt, then you can >> still carry out a dictionary attack. > > > A dictionary attack pre-computes the hash, and then just scans the > password file for a simple string match. The salt defeats this, because > each bit in the salt doubles the storage needed for the dictionary. > > <http://en.wikipedia.org/wiki/Salt_%28cryptography%29> > > You're right in that if the password itself is weak and could be > guessed, then all bets are off. As Tom explained, the salt does not make any single password harder to crack, but it does slow down an attack aimed at getting all (or the first) dictionary-vulnerable password. I was thinking in terms of protecting a particular targeted account (yours, say, or the superuser account), while you two were apparently thinking more of protecting all of the accounts in some statistical sense. I still think the surest bet is to avoid using dictionary-attackable passwords. :) |