Putting passwords in a properties file?
in [Java Help]
|
Prev: Some projects were hidden because they exist in the workspace directory
Next: light weight types
From: Uli Kunkel on 25 Sep 2009 03:37 I need to put a password for something as an application parameter. For now I'm using a properties file but the password isn't encrypted. I suppose I could encrypt with something and hardcode that encryption key in the application.. Are there any applications with this purpose? I'd like to know what are practices of other people? Thanks in advance for any suggestions.
From: grz01 on 25 Sep 2009 03:55 On Sep 25, 9:37 am, Uli Kunkel <genija...(a)yahoo.com> wrote: > I need to put a password for something as an application parameter. > For now I'm using a properties file but the password isn't encrypted. > > I suppose I could encrypt with something and hardcode that encryption > key in the application.. > > Are there any applications with this purpose? > I'd like to know what are practices of other people? > > Thanks in advance for any suggestions. I think this is what you're looking for: http://www.jasypt.org/ Have only used it briefly (for just such purpose) but worked without problems. / grz01
From: Uli Kunkel on 25 Sep 2009 05:05 grz01 wrote: > On Sep 25, 9:37 am, Uli Kunkel <genija...(a)yahoo.com> wrote: >> I need to put a password for something as an application parameter. >> For now I'm using a properties file but the password isn't encrypted. >> >> I suppose I could encrypt with something and hardcode that encryption >> key in the application.. >> >> Are there any applications with this purpose? >> I'd like to know what are practices of other people? >> >> Thanks in advance for any suggestions. > > I think this is what you're looking for: > > http://www.jasypt.org/ > > Have only used it briefly (for just such purpose) but worked without > problems. > > / grz01 > Yes that was exactly what I was looking for. But I see the problem is in hard-coding the password. Are there any tricks and suggestions for storing the encryption key?
From: rossum on 25 Sep 2009 05:34 On Fri, 25 Sep 2009 09:37:13 +0200, Uli Kunkel <genijalac(a)yahoo.com> wrote: > >I need to put a password for something as an application parameter. >For now I'm using a properties file but the password isn't encrypted. > >I suppose I could encrypt with something and hardcode that encryption >key in the application.. > >Are there any applications with this purpose? >I'd like to know what are practices of other people? > > >Thanks in advance for any suggestions. Who are you trying to protect the password from? There are many methods suitable for different situations. One possible method is to store the password as two byte arrays. Convert the password to an array of bytes. Then generate a second byte array the same length filled with random bytes using SecureRandom (not Random). Store the random byte array and the XOR of the two arrays. If you are using a text only storage medium, such as the properties file, then you may need to convert to Base64 text before storing. Consider putting one array in the properties file and the other array elsewhere. To recover the password read the two byte arrays. XOR the two together and convert the resulting byte array back into the origial text password. Encryption: cyphertext <- plaintext XOR key Decryption: plaintext <- cyphertext XOR key Change the second, random, byte array regularly. How regularly depends on how secure you want things to be. It is probably easy enough to change it every time the password is used which gives you a One Time Pad. Do not call the two stored byte arrays "password1" and "password2"! For something more secure, keep the decryption key (the random array) on a USB stick that is removed from the computer and stored in a locked safe when the password in not needed. rossum
From: Xavier Nayrac on 25 Sep 2009 05:43
Uli Kunkel a �crit : > > I need to put a password for something as an application parameter. > For now I'm using a properties file but the password isn't encrypted. > > I suppose I could encrypt with something and hardcode that encryption > key in the application.. > Why use a key ? Why not use an hash (SHA*, md5) ? -- Xavier Nayrac |