encrypting password

L

Lionel

Hi,

My application currently stores a user name and password using the
Preferences class. I assume this is stored somewhere in plain text,
either way it is insecure. How do I go about saving a password when it
is entered so that I don't have to ask for it later? The password is
used to access MySQL.

Lionel.
 
?

=?ISO-8859-1?Q?Arne_Vajh=F8j?=

Lionel said:
My application currently stores a user name and password using the
Preferences class. I assume this is stored somewhere in plain text,
either way it is insecure. How do I go about saving a password when it
is entered so that I don't have to ask for it later? The password is
used to access MySQL.

It is very difficult to both enable you rprogram to
read the password and prevent the user from reading
the password.

For client side apps it is often the best to gives users
individual passwords and have them enter it.

Arne
 
L

Lionel

Arne said:
It is very difficult to both enable you rprogram to
read the password and prevent the user from reading
the password.

For client side apps it is often the best to gives users
individual passwords and have them enter it.

I was actually sort of thinking that might be the case. When I thought
about the problem I couldn't think how it would be possible. Maybe I
need to make it a little less user friendly by requiring them to enter a
password.

Lionel.
 
B

Brandon McCombs

Lionel said:
I was actually sort of thinking that might be the case. When I thought
about the problem I couldn't think how it would be possible. Maybe I
need to make it a little less user friendly by requiring them to enter a
password.

Lionel.

I am working on an LDAP administration client-side application which
provides various options for the administrator to authenticate through
the app back to the LDAP server. One is using Kerberos through Windows
XP but another is simply entering a username and password. I allow the
configuration to be saved to disk but I do not save the password in that
file. I always require the user to enter the password (after loading
their config data from the file) before they can connect to the LDAP
server. I also use a JPasswordField to mask the password but I do keep
it around in plaintext in the object that represents the configuration
settings.

hope that helps.
 
J

jiji

My application currently stores a user name and password using the
Preferences class. I assume this is stored somewhere in plain text,
either way it is insecure. How do I go about saving a password when it
is entered so that I don't have to ask for it later? The password is
used to access MySQL.

why cant u use some kind of encryption(MD5, SHA etc) before puting it
as a node??
and later, whenever u need that password, jus decrypt it..
 
D

Dag Sunde

jiji said:
why cant u use some kind of encryption(MD5, SHA etc) before puting it
as a node??
and later, whenever u need that password, jus decrypt it..

And how do you "decrypt" an one-way hash?
:)
 
J

jiji

And how do you "decrypt" an one-way hash?
:)

Yes.. its not possible.. so.. you can use other encyptions like DES..

My application uses MD5 encryption for stroing the password in DB and
when the user log in to the application, the password supplied by the
user will be encrypted with MD5 and compared with DB - this way I'm
authenticating.
 
D

Dag Sunde

Gordon said:
Why should you *need* to decrypt it?

/gordon

Because the OP wants to store them to use for mySQL login later:
<quote>
The password is used to access MySQL.
</quote>
 
M

Matt Humphrey

jiji said:
Yes.. its not possible.. so.. you can use other encyptions like DES..

As others have been trying to point out, you can't encrypt the password even
with DES or any other technique because doing so requires a key for
decryption which must also be stored, or have the user enter. Simply having
the user enter the password is the best choice in this case. (Although if
you have many passwords and other data to secure you can store them all and
have the user enter the main key, but that's a different story.)
My application uses MD5 encryption for stroing the password in DB and
when the user log in to the application, the password supplied by the
user will be encrypted with MD5 and compared with DB - this way I'm
authenticating.

This technique is perfectly fine and is very common for authentication. It
just doesn't apply to the OP's problem which is to store a password that can
be re-sent to another application.

Matt Humphrey (e-mail address removed) http://www.iviz.com/
 
J

jiji

Matt said:
As others have been trying to point out, you can't encrypt the password even
with DES or any other technique because doing so requires a key for
decryption which must also be stored, or have the user enter. Simply having
the user enter the password is the best choice in this case. (Although if
you have many passwords and other data to secure you can store them all and
have the user enter the main key, but that's a different story.)

Why cant we use some key for encryption atleast for a login session??
See, If its a web application, then you can use session id as
encryption key..
or you can use user name as encryption key..

In one of the Application im currently working, the key for encryption
will be generated as following

Key : head + userName + mid + session id + tail

head, mid, tail are 10 digit numbers which will be generated randomly
on each application startup(means when u start the web application,
these numbers will be generated and stored in a static variable). These
numbers are used to ensure the security of the system.

And for all other encryptions, I use this key..

for each user login, userName and session id will change and it will
be valid as long as the session is alive.

Jiji
 
O

Oliver Wong

jiji said:
Why cant we use some key for encryption atleast for a login session??

Because you'd have to store that key somewhere in order to later use it
for decryption.

Either you have a secure place to store that key, or you don't. If you
do have a secure place to store that key, then you might as well just store
the original password there instead, and save yourself all this hassle. If
you don't have a secure place to store the key, then you haven't gained any
security at all, because any malicious user could gain access to your key,
and decrypt your original password.

- Oliver
 
L

Lionel

Dag said:
Because the OP wants to store them to use for mySQL login later:
<quote>
The password is used to access MySQL.
</quote>

I think it's become clear that to keep the password secure it must be
entered by the user at start up. I can then authenticate and get a
connection to the database and all is done. It just means that each time
the application is restarted they must re-enter their password. I minor
inconvenience but that's the way it's got to be.

Lionel.
 
R

RedGrittyBrick

jiji said:
why cant u use some kind of encryption(MD5, SHA etc) before puting it
as a node??
and later, whenever u need that password, jus decrypt it..

Dag Sunde already pointed out that MD5 is a one-way hash that cannot be
decrypted.

If you used a symmetric encryption algorithm instead, you'd still have
to store the encryption/decryption key somewhere safe, so you're not
really achieving much.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top